question

Sid-1709 avatar image
0 Votes"
Sid-1709 asked Sid-1709 commented

RRAS VPN server with off-subnet address range for clients

Hello!

I want to implement an RRAS VPN server with off-subnet addresses assigned to the VPN clients.
My problem is that I can ping the VPN clients from the LAN, but I can't ping LAN resources from the VPN Clients.

Here is my setup and how I configured it:
LAN: 192.168.1.0/24
DGW: 192.168.1.254
VPN Client network: 10.41.80.0/21
RRAS server: Single NIC: 192.168.1.6

I configured the RRAS server with VPN and Router roles.
I have created a Static address pool on the RRAS server for the VPN clients 10.41.80.1 - 10.41.87.254
I have disabled all ports, only IKEv2 is used by RAS/Routing; the rest is "Used by none".

On my LAN router (192.168.1.254) I have added one static route: routed the destination network 10.41.80.0/21 to the RRAS server IP 192.168.1.6.
On my LAN router I've allowed the icmp communication between the two network in both directions.

At this point the communication initiated from my LAN to the VPN clients staerted to work, but not the other way.
I can't figure out what am I missing.

Thank you for your input!

windows-serverwindows-server-managementwindows-platform-network
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Just checking in to see if the information provided was helpful.

If yes, you may accept useful reply as answer, if not, welcome to feedback.

Best Regards,
Sunny

0 Votes 0 ·
SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered Sid-1709 commented

Hi,

Thanks for your update.

I would suggest you could run command "route print" from VPN client when established a VPN connection to check if there is a route to 192.168.1.0/24.

If not, I would suggest you add a corresponded route from VPN server since the VPN client obtains route information from VPN server.

114119-image.png

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image.png (29.4 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There was no route in the VPN client route table for 192.168.1.0/24 network.
I've added a static route in RRAS as you suggested; restarted RRAS, reconnected with the VPN Client.

There is still no route for 192.168.1.0\24 network on the VPN client route table. The communication originating from the VPN client still not working.

Edit:
I've added manually the following route to the VPN client:
route add 192.168.1.0 mask 255.255.255.0 192.168.1.254 metric 1
This did not solve the problem.

0 Votes 0 ·

Hello!

I did figure out the cause of the problem, however I don't know how to implement a proper solution yet.

The issue is that if I initiate a ping request from a VPN client (10.41.80.2) towards a server on the corporate network (192.168.1.2), the ping request goes directly to the destination server; not touching my router on the corporate network (192.168.1.254).
However the ping reply is sent to the router first, and it drops the reply because it sees "ICMP reply without request".

If I add the following route to the server's (192.168.1.2) route table, then the problem is solved:
route add 10.41.80.0 mask 255.255.248.0 192.168.1.6

Obviously I can't consider this as a final solution.
I would like to set up a configuration where the packets from the VPN clients always goes through my router first, and then they bounce from there to the destination server.

I'm still looking for help to implement the above or similar solution!

0 Votes 0 ·
Sid-1709 avatar image
0 Votes"
Sid-1709 answered Sid-1709 commented

I would like to add some extra information I gathered about the issue:

  • when I try to ping a LAN machine from a VPN client, on my firewall (192.168.1.254) I got the following block message: ICMP reply without request. So the LAN machine tries to reply, but the firewall blocks it. I suspect for some reason the ICMP request comes from the RRAS server 192.168.1.6 (not interacting with my firewall) and the reply goes to the VPN Client's address through my firewall.

  • I am able to query DNS request from a VPN client against my internal DNS server (192.168.1.1) and got a response.

  • I am able to query an NTP resync from my local Windows NTP server (192.168.1.8) and got a response.

  • I am able to ping my firewall LAN IP (192.168.1.254) from a VPN Client and get a response. Still can't ping anything else on the LAN.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is a quick note to let you know that I am currently performing research and test on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.

0 Votes 0 ·

Hi,

Before we go further, may I know if you have tried to disable Windows Firewall from these specific machines one by one to narrow down if the issue is related to Windows Firewall.

Best Regards,
Sunny

0 Votes 0 ·

Hello,

Yes I've tried it with disabled Windows Firewalls on both end.

0 Votes 0 ·