I can connect, but cannot ping/route to remote VPN computers

Question

Setup:

L2TP VPN Server on a Windows Server 2008 machine which is behind a router, which is behind a modem/router.

Modem/Router (IP: 192.168.2.1, Subnet: 255.255.255.0, DHCP serves 192.168.2.2 to router)
----|_ Router (IP: 192.168.2.2, Subnet: 255.255.255.0, Sub LAN IP: 192.168.0.1, Sub LAN Subnet: 255.255.255.128, DHCP serves 192.168.0.* to computers)
------------|_ Windows Server 2008 (IP: 192.168.0.3, Subnet: 255.255.255.128, serves VPN IP address from pool...192.168.0.130 - 192.168.0.140)

The router sets WS2008 as the primary DNS, WS2008 forwards queries back to router for failures. See this post for clarification.

I can connect to the VPN just fine, this is the result of ipconfig:

PPP adapter Work VPN:

   Connection-specific DNS Suffix  . : ss
   Description . . . . . . . . . . . : Work VPN
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.130(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.0.3
                                       192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

The odd thing is what happens when I look at the gateway for the vpn connection. It's set to 192.168.0.129. I'm new to routing so I don't know what is good/bad when looking at the results of route print. I put XXX.XXX.XXX.XXX in place of my public IP.

===========================================================================
Interface List
 24...........................Work VPN
 16...00 02 76 09 4b b7 ......Bluetooth Device (Personal Area Network)
 14...f4 6d 04 d2 59 74 ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
 10...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  XXX.XXX.XXX.XXX  255.255.255.255      192.168.1.1      192.168.1.2     11
      192.168.0.0    255.255.255.0    192.168.0.129    192.168.0.130     11
    192.168.0.130  255.255.255.255         On-link     192.168.0.130    266
      192.168.1.0    255.255.255.0         On-link       192.168.1.2    266
      192.168.1.2  255.255.255.255         On-link       192.168.1.2    266
    192.168.1.255  255.255.255.255         On-link       192.168.1.2    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.2    266
        224.0.0.0        240.0.0.0         On-link     192.168.0.130    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.2    266
  255.255.255.255  255.255.255.255         On-link     192.168.0.130    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 11     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 11     58 2001::/32                On-link
 11    306 2001:0:9d38:6ab8:880:caa:e7c6:9416/128
                                    On-link
 14    266 fe80::/64                On-link
 11    306 fe80::/64                On-link
 11    306 fe80::880:caa:e7c6:9416/128
                                    On-link
 14    266 fe80::8184:12a1:9307:968a/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    306 ff00::/8                 On-link
 14    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

The IPs 192.168.1.* are from the client network (the computer I'm using VPN on to connect to the remote VPN). Shouldn't this route (192.168.0.0 255.255.255.0 192.168.0.129 192.168.0.130) be on subnet 255.255.255.128 or am I missing something with regards to routing and VPN?

NAT is active on both the modem and router. I'm not sure what part this has to play with regards to security/connectivity and what I should do with it. Ports 500, 1701, 4500 are forwarded on the router to 192.168.0.3 which is I'm guessing why I can connect in the first place. The router is set to be DMZ on the modem. L2TP passthrough is enabled on the router (no option for this on the modem). SPI firewall is enabled on router. Again, I don't know if this affects anything.

I get a request timeout when attempting tracert to 192.168.0.3. I also cannot even ping the VPN gateway. The VPN server cannot ping the assigned ip address of the client.

I hope this information helps, I can't think of anything else to mention at the moment. To summarize my problem, I can connect to the VPN but I can't do anything when I'm in. No ping, no DNS, no access via computer names, nothing.

In order to access anything on the VPN network beyond the VPN server you need to configure LAN Routing in the properties of the VPN server. Have you done that? — joeqwerty, Apr 07 '13 at 00:30
It's an option in the properties of the RRAS server. I don't have one handy so I can't tell you exactly where it is. Without enabling LAN routing you'll only have access to the VPN server itself. — joeqwerty, Apr 07 '13 at 02:19
Well under RRAS properties there are a couple of options; IPv4 and IPv6 routing with either LAN only or LAN and demand-dial...I have IPv4 enabled. — JakeTheSnake, Apr 07 '13 at 14:02

score 3 · Accepted Answer · answered Apr 21 '13 at 22:29

Turns out the clients can connect and routing is fine, but the client was being quarantined by NPS (Network Policy Server). Originally I had installed NPS and then uninstalled it during troubleshooting. Only when reinstalling it do I see the RRAS logs mentioning that the client has been quarantined. The client had the 'VPN Non-NAP Capable' status and the policy with regards to that status was to provide limited network access, not full network access. I changed the policy and it's working now.

Another issue might have been my subnet mask. IP addresses beyond .127 would not be able to communicate with IP's below .128 due to the subnet mask 255.255.255.128 even though the subnet (192.168.0.*) and subnet mask (255.255.255.128) were the same.

score 1 · Answer 2 · answered Oct 04 '16 at 06:43

After breaking my head over this the workarround was so easy. If the VPN client connects it get an IP from the main DHCP server than all network traffic is blocked. You must use a DHCP scope from the RRAS. When i set the scope everything worked instantly !

I can connect, but cannot ping/route to remote VPN computers

2 Answers2