is VPN+Domain setup differently than VPN+workgroup (peer)?

J

JediFonger

2[H]4U
Joined
Jan 2, 2003
Messages
2,777
v.jpg

^i'm using a D-Link DFL-200 firewall and server is running AD/DHCP/DNS/etc. VPN remote client is WXPP.

i've setup the remote VPN user to connect to the firewall's VPN server using WXPP's built-in VPN client (pptp). the remote VPN client can connect to the firewall and ping firewall's IP but can't ping any other IP inside of the
firewall. the VPN user is also receiving an ip that should be able to communicate computers inside the VPN (like 10.0.0.201). the remote VPN client can't view any shared folders on computers inside the firewall.

the firewall itself has a ping tool and can ping the VPN client's public and DHCP assigned address so the firewall/VPN (pptp server) can see the remote VPN user is connected. the firewall/vpn server can also see all of the inside addresses including server 10.0.0.1.

all of the computers inside the firewall can ping the ip assigned to the remote VPN user connected to the firewall but can't see anything on the remote VPN computer. it's just not available. what i mean is shared folders, inside computers can't see any share folders outside of the firewall.

so, it sounds like there's an authentication/config issue.

with workgroups, when i setup the firewall as a pptp server and assign the IP range from 10.0.0.201-254, then create a pptp user. the remote VPN user can connect and browse the shared folders and inside PC can browse share folders on the outside.

with domains, do i have to enable VPN server on the ad/dhcp/dns server? i thought the firewall itself was the pptp server and that enables the remote VPN clients to terminate their connections at the firewall and then connect to the domain network as if the remote client was physically located at the LAN? i thought that's the whole purpose?

what am i missing here?

re: policies, right now, inside computers can send stuff out (from LAN to WAN) and receive http and the usual stuff. from WAN to LAN there is no policies set therefore i think it's all restricted.
 
I use a similar setup on many setups, using the RV0 series routers...

First...main network and remote sites should be on different IP ranges....
meaning..
Main network...192.168.0.xxx
First satellite network or remote user..an IP range other than 192.168.0.xxx...meaning, can be something like 10.0.0.xxx or 192.168.1.xxx or 192.168.2.xxx, etc etc.

This is why when I built business networks...I make it on something other than the common 192.168.0/1.xxx....because chances are you'll have staff that wants to remote in from home..and most will have a broadband router that will be in that common range.

Edit DHCP on the VPN server to hand out the IP of the DC as the DNS server..so that way clients can get resolution. Or you can slap it in the IP properties of the VPN connection. However...I try to setup static reservations for hosts..so that you just train the VPN client to connect to the host once..and it remembers..IE RDC to a workstation or OWA or something.
 
well, the IP already works in my situation. the problem is remote VPN users can't access domain resources. i'm already having the VPN server relay dhcp and dns duties to 10.0.0.1 (server).

i'll try the static ip though. local network is 10.0.0.1-200 and VPN users are 10.0.0.201-254

so they're already on different scopes already.
 
JediFonger said:
well, the IP already works in my situation. the problem is remote VPN users can't access domain resources. i'm already having the VPN server relay dhcp and dns duties to 10.0.0.1 (server).

i'll try the static ip though. local network is 10.0.0.1-200 and VPN users are 10.0.0.201-254

so they're already on different scopes already.
Click to expand...

What is the IP address of the remote user? Not the IP they are getting from your DHCP server, but the IP of their physical NIC? If it's in the same subnet as your network, then that's the problem. His pings will never leave his local network and travel over the VPN. Just because he gets a reply when pinging 10.0.0.3 doesn't mean it's the firewall replying, it could be something on his local network with that IP.
 
on the remote VPN user's computer, let's say he's got a direct connection to the internet via cable/dsl modem. his lan/nic is the interface he uses to connect to the internet.

when you create a "new connection", you create a dial-in pptp OVER your existing internet connection as a SEPARATE interface. in that interface, you obtain an IP from the inside VPN and thus should be able to interact with the VPN inside computers.

the remote VPN user is only 1 computer and doesn't have any other local network computers. so if he pings 10.0.0.3, the pings are leaving the network OVER the VPN connection made. that's a private address and thus is only the router responding. plus the firewall can ping both the private and public address of the remote VPN user.
 
JediFonger said:
on the remote VPN user's computer, let's say he's got a direct connection to the internet via cable/dsl modem. his lan/nic is the interface he uses to connect to the internet.

when you create a "new connection", you create a dial-in pptp OVER your existing internet connection as a SEPARATE interface. in that interface, you obtain an IP from the inside VPN and thus should be able to interact with the VPN inside computers.

the remote VPN user is only 1 computer and doesn't have any other local network computers. so if he pings 10.0.0.3, the pings are leaving the network OVER the VPN connection made. that's a private address and thus is only the router responding. plus the firewall can ping both the private and public address of the remote VPN user.
Click to expand...

I know how VPNs work. So his local IP is a public address, not a private one. That's all I was looking for. Most people don't connect directly to their cable/dsl modem, they use some sort of hardware firewall. If his local router was handing out an IP range in the 10.0.0.x subnet his VPN connection would have issues similar to what you are describing.
 
JediFonger said:
well, the IP already works in my situation. the problem is remote VPN users can't access domain resources. i'm already having the VPN server relay dhcp and dns duties to 10.0.0.1 (server).

i'll try the static ip though. local network is 10.0.0.1-200 and VPN users are 10.0.0.201-254

so they're already on different scopes already.
Click to expand...
Since you're using the XP client, this doesn't quite apply, but I do believe what YeOlde was saying was that you need different subnets for each site, ie; home office 10.0.0.x, second office 10.0.1.x, third, 10.0.2.x, etc...

Sounds like flakey VPN support in your case, have yout tried setting up VPN on your server and forwarding the port on the firewall?

Default port should be 1723.
 
ns, no it wouldn't because regardless of how remote VPN user connects to the internet, the VPN connection in network connections folder for WXPP is making a separate and independent connectio onto its own. it has its own IP/subnet, etc.

0ldman, there's only 1 remote VPN user and 1 VPN server setup. i don't get why diff. subnets will help in my situation. you need to have the same subnet to access resources.

i want to terminate the user at the firewall and not just pass the VPN connections to the AD. it is more secure.
 
I said it didn't apply to your situation, I was trying to clarify what YeOlde was saying. You didn't seem to understand it then either.

What NS80 is saying is along the same lines, if the local network and remote network are on the same subnet (I understand yours is not), it will not work right.

It sounds to me like DLink sucks or you don't have it configured properly. Try disabling the firewall for a test.

Personally, I've not had luck with DLink, aside from a couple of PCMCIA cards. I refuse to sell routers/APs.
 
gotcha.

i've also tried cisco PIX 501's.

is there something i have to configure on my AD server to make this work? do i need routing enabled on AD server? this is just not working.

how about openvnc?
 
JediFonger said:
ns, no it wouldn't because regardless of how remote VPN user connects to the internet, the VPN connection in network connections folder for WXPP is making a separate and independent connectio onto its own. it has its own IP/subnet, etc.

0ldman, there's only 1 remote VPN user and 1 VPN server setup. i don't get why diff. subnets will help in my situation. you need to have the same subnet to access resources.

i want to terminate the user at the firewall and not just pass the VPN connections to the AD. it is more secure.
Click to expand...

You either don't understand how VPNs work or you are completely misunderstanding what we are saying. Let's take a hypothetical network here. At the office there is a router, with an IP of 192.168.0.1, and all the servers and client PCs on that network have IPs of 192.168.0.x. Now you have a remote user setup and at his home he has a linksys router, also with an IP address of 192.168.0.2. DHCP is configured on it to hand out addresses in the 192.168.0.x range. Now your remote user connects his pptp VPN to the office, and receives an IP of 192.168.0.201. He's not going to be able to connect to or ping any PCs in the office, because that traffic will never leave his local network. His PC knows his internal NIC is on the 192.168.0.x subnet, so it won't send traffic over the VPN. Now if you change his home router to be 192.168.1.2, and hand out IPs in the subnet 192.168.1.x, the problem will go away and you will be able to contact PCs at the office. So in summary, if your remote user's local subnet matches the one at his office, he's going to have all kinds of trouble with his VPN. It's that simple.
 
no we're all saying the same things just different points of views. and that's not even an issue since the remote VPN user is direct anyway.

but let's say he WASN'T directly connected to internet and also has a router. and let's say his internal network is 192.168.1.x and the office VPN is 10.x.x.x

the remote VPN user's own internal router IP address has nothing to do with the office VPN's own inside IP address. once the remote VPN user connects to the office VPN he receives a 10.x.x.x address and should be able to communicate with the office.

with regard to the remote VPN user's PC, if you look at network connections, 1 icon is for LAN IP, which is 192.168.1.2 for example and the VPN status icon will also be connected simultaneously at 10.x.x.x. that's how it works.
 
Jedi your not understanding what hes saying.

His initial response was in regards to if you had 10.0.0.x as your vpn and the client also had 10.0.0.x addresses being handed out by lets say, a belkin router (they dont but bear with me this is hypothetical). That would cause problems because 10.0.0.1 on your network is Z resource while on the clients internal network it is probably his router.

With that out of the way, we all understand that this is NOT the case for your situation, as your client has no router or other means of intermitant communication with his modem for DSL/Cable/T1 connectivity to the internet.

Back on topic - is your DC using 2003 or 2000? Its been a while since i took the MCSE classes however i seem to recall AD settings for remote user access to domain resources. I'd check your gpolicies (gpedit.msc) and look for "user" settings perhaps. Another thing i would check in your situation is if you are able to resolve IP's to host names via NSLOOKUP while VPN'd into your network. If you can do that, identify a hostname your sure has a shared resource that the user should have access to and just try doublebacking it from run. (IE: \\hostname\resource)

I'm not an expert but i hope i can maybe help, im interested in the outcome either way.
 
JediFonger said:
i've also tried cisco PIX 501's.

is there something i have to configure on my AD server to make this work? do i need routing enabled on AD server? this is just not working.

how about openvnc?
Click to expand...

I'm stepping out of the IP range wheel spinning...I think that debates going to go on for days.

Client connecting from a PC with a public IP address. First of all..I'd never ever ever allow that on any of my clients. I hate PCs on a public IP address...but the though of having one of those VPN to a business network that was secure up until that point...
:eek: You've just drove a truck through the wall that was once your NAT firewall.

BUT..security of your VPN wasn't the issue here....so..what do you mean by "Can't access resources"? Can you connect to say...an RD host? Like a workstation using RDC? Going to IP..not netbios name. Scratch netbios name off the list unless you have DNS working well. Stick with IP only in the beginning. Or say..launch an UltraVNC host machine..and connect to it using client...through the VPN..again...IP only.
 
my issue is inside VPN can ping the IP of any remote VPN users connected to the firewall/vpn (pptp server) but can't see their shared folders over the windows explorer and likewise the remote VPN user can't see any shared folders on the inside VPN computers. i think there's a policy i have to set on the firewall to make this happen. there's LAN-WAN policy which is enabled for inside computers to view internet. but there's no policies under WAN-LAN which means nothing is coming in (except http) even though stuff is being sent out? do i have enable any policies from WAN-LAN? this is totally fubar.

strange thing is this setup works with workgroups (p2p and no domain involved).

i'm going to try ultravnc.
 
Most decent routers have VPN passthrough, you have to enable it.

Have you tried disabling the firewall yet as a test to see if it fixes the problem?
 
dont take this the wrong way jedi, look at what you just said:

you stated that this works on normal P2P networks ( Workgroups ) but not for your domain. yet your primary focus seems to be a setting on your firewall for WAN-LAN.


As i said before, i believe it is a gpolicy that needs to be set for remote users. i dont have any server software installed currently (even though my XP-Pro is functioning as one on this machine) or i'd take a good look and tell you.

but hey it might still be a firewall setting, im not all too familiar with those firewalls so your evaluation of that is much more informed than mine.

best of luck keep us updated
 
Post an Ipconfig from a domain computer, an ipconfig from the remote workstation connected via VPN, Ipconfig from the Domain Controller , and check to see if there are any DNS forwarders listed in the Domain Controller.

This sounds like a DNS issue and here is why I think so:

In a P2P network all computers use the VPN router for it's default gateway and DNS, in a domain environment the domain PCs use the DC for DNS. Thus the VPN/Router is the DNS for both local and VPN users.

The problem with terminating the VPN connection at the VPN router in a domain setup is that the VPN user's DNS requests are being answered by the vpn router and not the domain controller DNS.

Likewise the domain computers are trying to resolve the remote vpn computers via Domain controller DNS which may not know anything about the router DNS.

It would be far easier to just terminate the VPN connections at the domain controller than the VPN/Router and let the DC do the work.
 
I may have missed it above (tired as heck...gulping my Bustelo coffee like crazy)...but have you edited your PPTP servers DHCP to hand VPN clients your servers IP of 10.0.0.1 as their DNS server?

Have these remote machines been joined to the domain?
 
i don't want to forward ports because i want to terminate the remote VPN user at the firewall, not the AD server. without firewall it works but i have enable VPN+NAT routing service on the AD.

0ldman said:
Most decent routers have VPN passthrough, you have to enable it.

Have you tried disabling the firewall yet as a test to see if it fixes the problem?
Click to expand...





well, if someone can point me to the right direction on what kinds of config needs to be in place on the fw, server i think i can figure it out to my application. right now, i'm just thinking the user is already connecting at the fw, so they should be able to communicate with ADserver and access domain resources (shared printers, folders, sql, etc.).

Kreator said:
but hey it might still be a firewall setting, im not all too familiar with those firewalls so your evaluation of that is much more informed than mine.

best of luck keep us updated
Click to expand...

DNS server is already forwarded to 10.0.0.3 the router for IP's it can't resolve locally and the firewall is also relaying DNS it can't resolve to the DNS server (10.0.0.1). so any remote VPN user that connects should be able to use either 10.0.0.1 or 10.0.0.3 as DNS and it should forward back and forth to both local and internet IP's. right now the gateway on the remote VPN user is 10.0.0.3... maybe i should make it 10.0.0.1. i'll try it @home.

re: terminating via either direct connection or port forwarding @AD server (with VPN+NAT routing service enabled) would be easier and it works. the problem is i don't feel that it is secure enough and i've heard people prefer terminating @fw since you have 1 more layer of security between server and the internet without much loss in performance (which doesn't matter in my case anyway, it's all low-bandwidth apps).

SJConsultant said:
Post an Ipconfig from a domain computer, an ipconfig from the remote workstation connected via VPN, Ipconfig from the Domain Controller , and check to see if there are any DNS forwarders listed in the Domain Controller.

This sounds like a DNS issue and here is why I think so:

In a P2P network all computers use the VPN router for it's default gateway and DNS, in a domain environment the domain PCs use the DC for DNS. Thus the VPN/Router is the DNS for both local and VPN users.

The problem with terminating the VPN connection at the VPN router in a domain setup is that the VPN user's DNS requests are being answered by the vpn router and not the domain controller DNS.

Likewise the domain computers are trying to resolve the remote vpn computers via Domain controller DNS which may not know anything about the router DNS.

It would be far easier to just terminate the VPN connections at the domain controller than the VPN/Router and let the DC do the work.
Click to expand...


yesh, the pptp server is relaying DHCP work to main AD server (10.0.0.1) and the AD server is forwarding everything it can't resolve to the router 10.0.0.3.

i tried joining the domain but it doesn't work, the remote VPN user can't find any domain to join while RAS is connected. the main reason, which goes back to my initial question, is that it can't even ping 10.0.0.1 the server. if it pings and can see the domain computers, or even just the server, my problem would resolved.


YeOldeStonecat said:
I may have missed it above (tired as heck...gulping my Bustelo coffee like crazy)...but have you edited your PPTP servers DHCP to hand VPN clients your servers IP of 10.0.0.1 as their DNS server?

Have these remote machines been joined to the domain?
Click to expand...


PS i would think this is a fairly COMMON setup/application but i haven't see many FAQ via cisco or many networking sites. is this NOT common? maybe i'm just naive =). i mean people need AD for business-grade stability filesharing, they need firewall to protect themselves and if they have remote workers that telecommute, companies need to have remove VPN users connect to internal network. i'd hate to think that everyone is just forwarding the ports. even ultravnc or openvpn is better than that. i'd prefer to stick with this setup because it is less headache in the future and people don't have to learn how to use ultravnc or any additional app.

that's why i'm guessing either the fw isn't configured properly or i have to enable VPN service on the AD server itself to accept remote authentication, etc.
 
yes. everything across the VPN inside and outside including the router has the latest of everything.
 
JediFonger

If you want help, then post answers to the questions we ask. I asked for specific information that you have completely glossed over in your response.
 
Agreed.

If it is a firewall problem, disabling the firewall for 5 minutes and testing would answer that.

You want help, but you won't try what we ask, nor give us the info asked for.
 
JediFonger said:
PS i would think this is a fairly COMMON setup/application but i haven't see many FAQ via cisco or many networking sites. is this NOT common? maybe i'm just naive =). i mean people need AD for business-grade stability filesharing, they need firewall to protect themselves and if they have remote workers that telecommute, companies need to have remove VPN users connect to internal network. i'd hate to think that everyone is just forwarding the ports. even ultravnc or openvpn is better than that. i'd prefer to stick with this setup because it is less headache in the future and people don't have to learn how to use ultravnc or any additional app.

that's why i'm guessing either the fw isn't configured properly or i have to enable VPN service on the AD server itself to accept remote authentication, etc.
Click to expand...

It is common...I setup many MANY networks with VPN capable routers (PIX, Sonicwalls, and most commonly lately..RV0 series routers). They work great...I prefer that over having ports open/forewarded. No special configuration required on the DC..VPN done entirely just by the router. Dunno about the DLink one though..not fond of that brand, so I haven't tried their VPN equipment.
 
Right, which is why I recommended disabling the firewall as a test, if it still doesn't work, that problem has been eliminated.

I don't like DLink, I mentioned it above. DLink has burned me in the past, and frankly, money talks. When DLink won't fess up to a design problem and I have to replace the device... again...
 
i already answered the ipconfig question in the diagram.

server AD is only 10.0.0.1 w/255.0.0.0

remote VPN user has 10.0.0.201 through 254. w/255.0.0.0 via the VPN connection.

if no firewall, when i use the regular VPN routing in w2k3, VPN works.
 
JediFonger said:
i already answered the ipconfig question in the diagram.

server AD is only 10.0.0.1 w/255.0.0.0

remote VPN user has 10.0.0.201 through 254. w/255.0.0.0 via the VPN connection.

if no firewall, when i use the regular VPN routing in w2k3, VPN works.
Click to expand...

The diagram does not have information such as DNS and default gateway information for each system.

Post an IPconfig /all for the server, internal lan computer, and VPN user when connected via VPN.

If you are unwilling to cooperate then don't expect much help.
 
that's a class A ip.

re: info, i already have everything. no need to do ipconfig.

10.0.0.1 is the DNS server for everything inside the firewall, outside the firewall.

the gateway is 10.0.0.3 (aka the router) for the inside and the same for remote VPN user when he is connected.

if this is so common, those configs would also be common.
 
You must log in or register to reply here.
Back
Top