Windows 2003 server VPN - LAN inaccessible

I have the following config:

enter image description here

"Laptop" VPNs in to "Server". Then, "Laptop" can fully access "Server". The problem: "Laptop" can't connect to "Desktop" (neither TCP/IP, nor ICMP (ping)).

On "Laptop", "Use Default gateway for remote network" is un-checked, to maintain internet connectivity during VPN session. On "Server", RRAS is configured as a router and according routing tables, everything should work.

On "Laptop", routes list 192.168.1.0/255.255.255.0 gateway 192.168.1.5. On "Server", routes list 192.168.1.0/255.255.255.0 gateway 192.168.1.3 (X). Am I not correct in thinking that when a packet comes from 192.168.1.5 for 192.168.1.4, "Server" should route it according to (X)?

Thank you!

UPDATE: Turned DHCP off at the router, and turned it on on the "Server" - everything works (and doesn't work) just like it did before.

Mr. TA

Posted 2011-10-10T01:08:25.497

Reputation: 99

Have you tried it with all firewalls off ? Which versions of XP on Laptop & Desktop ? Why do you use RRAS when the router can do everything for you ? – harrymc – 2011-10-13T18:38:25.517

All firewalls are off. Both laptop and desktop - XP SP3. The router is a very simple one; it doesn't have VPN features that I need. – Mr. TA – 2011-10-13T19:29:35.210

I meant whether the XP versions are Home or better. Also, does the router have port forwarding ? Does everything work without VPN ? Some info about how you created the VPN would also be useful. – harrymc – 2011-10-14T05:45:46.450

@harrymc: It's Windows XP Pro on both machines. The router does have port forwarding; I currently have ports 80 (HTTP), 1723 (VPN) and 3690 (SVN) routed to "Server". Everything other than the VPN problem above does work fine (the port forwarding, DNS, DHCP, etc.). I set up VPN by configuring RRAS, closely following steps from this article: http://www.techrepublic.com/article/configure-a-windows-server-2003-vpn-on-the-server-side/5805260 Only difference being that "Server" only has 1 NIC.

– Mr. TA – 2011-10-14T10:53:26.207

When the VPN is attached can you ping "Desktop" by IP address? Can you contact/ping the Router at 192.168.1.1? – Ƭᴇcʜιᴇ007 – 2011-10-17T05:29:22.277

@techie007 if you mean from "Laptop", then no, I can't ping anything on the LAN, except for "Server" itself. – Mr. TA – 2011-10-18T11:56:26.383

Answers

Thanks harrymc for the links.

The problem was caused due to using the LAN subnet for the VPN. That led to the client and server getting the same VPN IP address - 192.168.1.5 - which apparently somehow confused RRAS.

I changed RRAS to create it's own static pool (instead of relaying DHCP) of different IPs (10.0.0.x). When connected, server got VPN IP of 10.0.0.1 and client 10.0.0.2. On the client, added a route for LAN IPs (192.168.1.XXX) to go through 10.0.0.2 - voila.

Mr. TA

Posted 2011-10-10T01:08:25.497

Reputation: 99

You should do something about your bounty. It is awarded automatically to the designated answer, but as you cannot award points to yourself it will just get lost. – harrymc – 2011-10-18T14:34:04.490

@harrymc I awarded it to you, since I figured the problem out after reading one of the articles that you linked to. – Mr. TA – 2011-10-19T15:21:43.110

I do not have the setup to test anything, and there are too many settings that can cause this problem. It is probably caused by missing IP routes, or incorrect handling of the two sets of IP addresses (inside and outside of the VPN).

I have grouped below some links that discuss the same problem that you are experiencing, in the hope that one of them will apply to your setup :

Fix the four biggest problems with VPN connections
Section "Inability to reach locations beyond the VPN server".

Cannot reach beyond the RRAS server from VPN clients

VPN clients are unable to access resources beyond the VPN server

Configuring VPN Clients to Support Network Browsing

This series of articles contains lots of useful information : Remote Access Design Guidelines.