Cannot reach beyond the RRAS server from VPN clients?
Many a time we face this issue - after making a VPN connection to the Routing and Remote Access server, we are unable to reach the machine on the network behind the VPN server. Here are a few tips to troubleshoot this.
Let's consider this example to understand this better.
VPN Client <---Internet---> RRAS server <----------------> LAN client
22.214.171.124 192.168.0.4 192.168.0.16
Static pool configured on RRAS server: 10.0.0.1 - 10.0.0.10 [This means that the VPN clients will get a 10.0.0.X address from this pool]
Public interface of RRAS server to which clients connect: 126.96.36.199
Private interface of RRAS server: 192.168.0.4 (The LAN clients on this network will have addresses 192.168.0.X)
We want to reach the LAN client 192.168.0.16 from the VPN client 10.0.0.2. The following are the things that we need to ensure for this
(1) Need to have proper routes on the VPN client to reach the machines behind the RRAS server
For our example, on the VPN client we need to have a route to reach the LAN client i.e. for 192.168.0.16 as the destination with the VPN server (10.0.0.1) as the gateway as follows.
route add 192.168.0.0 mask 255.255.255.0 10.0.0.1 if <interface_index_of _PPP adapter>
This route makes sure that any packet destined to the LAN clients will go out through the PPP adapter of the client to the server's internal interface. As the RRAS server has one interface on the same network as the LAN client, it will route it accordingly to the LAN client.
On the VPN client side, a default route can also be added which can be used to reach the internet [otherwise even internet requests will go through the RAS server]. This concept is called split- tunneling and is explained in the below article. https://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx
(2) Need to have correct routes on the LAN clients behind the RRAS server for the VPN clients
The packet from the VPN client will reach the LAN client if the route on VPN client is proper which is ensured by (1) above. However, for the packet from LAN client to reach the VPN client, we should have correct routes on the LAN client too. For example, when you try to ping 192.168.0.16 from the VPN client, the routes on the VPN client will aid in the echo request to reach 192.168.0.16. However, for the echo reply from 192.168.0.16 to reach the VPN client, you LAN client should have a route for the VPN client with gateway as the private interface of RRAS server as follows:
route add 10.0.0.0 mask 255.255.255.0 192.168.0.4 if <i/f_index_of _192.168.0.16>
This way, the echo reply destined to 10.0.0.2 will reach the RRAS server which is the next hop according to the above route. Once it reaches the RRAS server, the server knows how to send it to the client as it will have a route for all clients conencted to it.
Note: On the LAN clients, a reverse route can be added individually on all the clients or all LAN clients may be pointing to some router which then can have a reverse route for 10.0.0.0 network OR RRAS server itself can be the default router for LAN clients
Software Desing Engr/Test,
RRAS, Windows Enterprise Networking,
"This posting is provided "AS IS" with no warranties, and confers no