[isalist] Vpn routing problem (URGENT)

http://www.ISAserver.org
-------------------------------------------------------
  
I have a vpn gateway to gateway between a ISA server/w2k (headquarter) and a 
RRAS/w2k (branch1), my rouing
don't work. It's a very basic routing plan. I have five cases with the same 
problem.

Resuming:

---headquarter (ISA server/w2k)
internal-iface=192.168.15.1 mask=/24, external-iface=x.x.x.x (public ip)
. demand dial vpn iface= "dd-to-remote1", persistent, destination= (y.y.y.y see 
below), fix-ip=192.168.0.97
  (flag initiate connection when traffic accross ENABLED)
. static route 192.168.0.0/24 trough iface "dd-to-remote1"
. headquarter LAN default gateway is the ISA (192.168.15.1)

---remote-site-1 (MS RRAS/w2k)
internal iface: 192.168.0.98 mask=/24, external-iface=y.y.y.y (public ip 
referenced above)
. demand dial iface="dd-headquarter", persistent, destination=BLANK (should no 
initiate connections)
fix-ip=192.168.15.20
. static route 192.168.15.0/24 trough iface "dd-headquarter"
  (flag initiate connection when traffic accross DISABLED)
. default LAN gateway is a cisco router (192.168.0.1)
. on the cisco I have this route: destination=192.168.15.0 mask=24 
gateway=192.168.0.98 (the RRAS
internal-iface)

I have no filters, but routing don't work.
On ISA and on the RRAS console I can ping the other end subnet (is cause they 
have logical interfaces in each
end), but from LAN machines I can not.

Tracing from a "headquarter" LAN machine(192.168.0.15.6) to a remote-site-1 LAN 
machine (192.168.0.5)
c:>tracert -d 192.168.0.5
192.168.15.1  (ISA int iface)
192.168.0.97  (dd-to-remote1 iface)
* * *
* * *
* * *

Tracing from a "remote-site-1" LAN machine(192.168.0.8) to a "headquarter" LAN 
machine (192.168.15.11)
c:>tracert -d 192.168.15.11
192.168.0.1   (default LAN gateway cisco router)
* * *
20.x.x.x      (than try cisco default gateway the internet)
* * *
* * *
* * *
Seems the RRAS is rejecting packets from cisco router.

Follow the last example, tracing from 192.168.0.8 to 192.168.15.11, but puting 
a local route entry on
192.168.0.8,
the same route that the cisco default gateway has, than it work fine.
c:> route add 192.168.0.15 mask 255.255.255.0 192.168.0.98
c:>tracert -d 192.168.15.11
192.168.0.98  (RRAS LAN iface)
192.168.0.97  (dd-headquarter iface)
192.168.15.11 (headquartee LAN machine)
trace completed!

I have five gw-to-gw vpns on my headquarter ISA server, all the remote VPN 
sites have the same problem. In
remote sites the LAN default gateway is another router (cisco, linux, ...) not 
the remote RRAS server, but put
a route to the headquarter subnet trough the RRAS don't work. I know that it's 
very basic in TCP/IP, but In
need to put route entries on the some LAN machines to work!

Anyone can see a mistake in my routing plan?


Daniel Müller
Microsoft Certified Systems Engineer [MCSE + Security]
Linux Professional Institute Certified Level 2 [LPIC-2]
Master in Computer Science (network security area)
Softplan Sistems
Florianópolis, Brazil

------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts: