Configure Routing on a VPN Server
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
To enable a VPN server to correctly forward traffic from remote access clients to locations on the intranet, you configure routing in one of two ways:
Configure the server with static routes that summarize all possible IP addresses on the intranet.
Configure the server with routing protocols, such as Routing Information Protocol (RIP), that enable it to act as a dynamic router, automatically adding routes for intranet subnets to its routing table.
In a small, stable networking environment, static routing might be an appropriate choice for a VPN solution. However, in most corporate networking environments, the increased administrative overhead required to maintain static routes is prohibitive. The preferred method for a VPN solution is to configure the VPN server as a dynamic router.
Configuring static routes on the server
If you manually configure IP address ranges for a static address pool on any of your VPN servers, and if any of the ranges is not part of a subnet to which the VPN server is connected (an off-subnet range), then your intranet routing infrastructure must include routes that point to the off-subnet address ranges. To provide the best summarization of address ranges for routes, choose your address ranges so that they can be expressed using a single prefix and subnet mask.
To ensure this, add static routes that represent the off-subnet address ranges to the routers neighboring the VPN servers, and then use the routing protocol of your intranet to propagate the off-subnet routes to other routers. When you add the static routes to the neighboring routers, specify that the gateway or the next hop address is the intranet interface of the VPN server.
If you want to use an address range that is part of an already defined subnet (an on-subnet range), then you typically do not have to configure new routes, as the existing subnets are already in the routing tables. To use an on-subnet range of addresses, you can configure the VPN server to obtain IP addresses through DHCP or manually configure on-subnet address ranges. If you manually configure the on-subnet range, then ensure that the addresses cannot be assigned to other computers on the subnet.
To add a static route
Open the Routing and Remote Access Services MMC snap-in.
In the console tree, expand the server name, and then expand IPv4 or IPv6, depending on the route you want to create.
Right-click Static Routes, and then click New Static Route.
Select the Interface to be used to forward packets to the destination address range.
Enter the IP subnet address Destination, and either the Subnet mask or Prefix length that identifies the address range. If this route is to be the default route, enter either 0.0.0.0 for IPv4, or :: for IPv6.
For the Gateway, if the interface is a physical network interface, then enter the next hop address to which packets for the target address range are to be forwarded. If the interface is a demand-dial interface, then do not configure the gateway parameter.
Enter the Metric to be used to determine which route to use when multiple routes are available. The value is typically configured to be the number of hops (routers) between this computer and the destination. However, when one route uses a more expensive media (for example, long-distance dial-up), then you can set the metric higher for that route to ensure it is used only if another, less expensive route is not available. The route with the lowest metric is selected.
Configuring the server as a dynamic router
If you are using Routing Information Protocol (RIP) to exchange routing information between the routers on your intranet, then you can configure the RRAS VPN server as a RIP router.
To configure an RRAS server to participate in RIPv2 routing
In the Routing and Remote Access MMC snap-in, expand IPv4, right-click General, and then click New Routing Protocol.
The New Routing Protocol dialog box appears.
IPv6 does not currently support any routing protocols. To configure routing in IPv6, create the appropriate static routes on a neighboring router that is configured with a routing protocol.
In the list, select RIP Version 2 for Internet Protocol, and then click OK. RIP appears in the list under IPv4.
In the navigation tree, right-click RIP, and then click New Interface.
Select the interface to be used to send and receive routing information. This is typically the intranet interface.
The RIP Properties – Interface Name Properties dialog box appears. Use this dialog box to configure the RIP component on this interface and to specify the neighboring routers with which the RRAS server shares routing information.
The tabs in the RIP Properties page enable you to specify the following:
Whether to use periodic updates or auto-static updates.
The versions of RIP to use, either v1 or v2.
Whether routers must authenticate, and if so, the password to be used.
Any restrictions on the routes to accept or announce.
Whether route changes are broadcast or unicast to specific IP addresses.
A variety of timeouts and other parameters that configure how RIP handles certain types of announcements.
To view the current routing table, including those learned by received RIP announcements, in the navigation tree under IPv4, right-click Static Routes, and then click Show IP Routing Table.
For more information about configuring the RIP routing protocol, see Configure RIP for IP.