VPN routing issue

[skrimfid]

I setup Server with NAT/Firewall/VPN/DHCP/DNS. NATing works perfectly. Same with the other services. However, when connecting into the VPN via PPTP I’m having an issue. It authenticates without issue and assigns an IP address. However something is amiss with the routing, is all I can imagine. I can ping the internal address of the server, ssh to the server, ARD into the server. But I can’t see anything behind it and I can’t ping the VPN client from the server. I compared it to another setup that I did and noticed something different in the routing table. On the working configuration the route to the VPN client uses the internal address of the server. On the non-working server it routes to the external interface. It doesn’t paste very well, but the connected client is the 10.0.1.202 address. Its using the ppp0 interface, but the ip is the internet address of the server. This is really stumping me, so any help is appreciated.

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 24.73.209.221 UGSc 14 74583 en0
10.0.1/24 link#5 UCS 1 0 en2
10.0.1.1 127.0.0.1 UHS 1 7671 lo0
10.0.1.2 0:1e:52:f6:3e:e8 UHLW 1 96 en2 788
10.0.1.202 24.73.209.222 UH 3 26516 ppp0
24.73.209.220/30 link#4 UCS 1 0 en0
24.73.209.221 0:1c:26:2:3e:6e UHLW 15 0 en0 1197
24.73.209.222 127.0.0.1 UHS 2 9060 lo0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 1 7481 lo0
169.254 link#4 UCS 0 0 en0

Thanks,
Matthew

[deemery]

I have a more general question: The guy who originally configured Server for me strongly recommended a separate firewall router (Linksys) with VPN. That box also hands out DHCP addresses on my network for ‘casual use’, but most of the addresses for my (very small) network are hardwired. He got the VPN stuff to work, and then I lost the configuration and I’ve not been able to work out the reconfiguration since. A big part of my problem is that it’s difficult to debug a VPN from -inside- the network.

What’s the collective experience and advantages/disadvantages of a separate firewall router, vs having Server do this? It seems to me that a division of responsibility and some defense-in-depth is A Good Thing.

dave

[skrimfid]

>NAT really complicates this.

Is it not recommended to run NAT on a VPN server?

>What’s the IP that the client is getting?

The client is getting an IP from the pool I assigned in Server Admin, 10.0.1.200-10.0.1.229. This pool is not in the DHCP pool or in the static assigned IP address.

What’s the rout table on the client?
Routing table from my system while connected to the VPN:

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 24.73.209.222 UGSc 14 15 ppp0
10.0.1/24 ppp0 USc 1 0 ppp0
24.73.209.222 192.168.75.254 UGHS 2321 2311 en1
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 5 1445 lo0
169.254 link#6 UCS 0 0 en1
192.168.36 link#8 UC 1 0 vmnet1
192.168.36.255 link#8 UHLWb 0 34 vmnet1
192.168.74/23 link#6 UCS 13 0 en1
192.168.74.51 0:17:f2:2:12:9 UHLW 0 208 en1 1111
192.168.74.53 0:1e:c2:3c:10:e6 UHLW 0 0 en1 724
192.168.74.85 0:16:17:7e:21:2c UHLW 0 0 en1 971
192.168.74.100 0:1e:c2:45:a1:33 UHLW 0 0 en1 1098
192.168.74.114 0:1e:c2:42:b5:6d UHLW 0 0 en1 859
192.168.74.115 127.0.0.1 UHS 0 0 lo0
192.168.74.120 0:19:db:c8:91:a1 UHLW 0 0 en1 992
192.168.74.123 0:1e:c2:3b:72:4f UHLW 0 0 en1 431
192.168.74.125 0:a0:d1:bd:46:5 UHLW 0 0 en1 1169
192.168.74.129 0:e:35:fe:e4:39 UHLW 0 0 en1 1169
192.168.74.131 0:1c:c4:d2:11:47 UHLW 0 0 en1 702
192.168.75.149 0:17:a4:f0:d6:87 UHLW 0 420 en1 1089
192.168.75.254 0:8:e3:38:ce:7 UHLW 2 63 en1 1198
192.168.75.255 link#6 UHLWb 0 34 en1
192.168.185 link#7 UC 1 0 vmnet8
192.168.185.255 link#7 UHLWb 0 34 vmnet8

Internet6:
Destination Gateway Flags Netif Expire
::1 link#1 UHL lo0
fd02:2b88:295e:b704:21e:c2ff:fe19:bb16 link#1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 Uc lo0
fe80::1%lo0 link#1 UHL lo0
ff01::/32 ::1 U lo0
ff02::/32 fe80::1%lo0 UC lo0

Routing table from the server while I’m connected:

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 24.73.209.221 UGSc 60 56645 en0
10.0.1/24 link#5 UCS 5 0 en2
10.0.1.1 127.0.0.1 UHS 0 0 lo0
10.0.1.2 0:1e:52:f6:3e:e8 UHLW 1 16 en2 1014
10.0.1.11 0:1f:5b:ee:5e:42 UHLW 0 56 en2 986
10.0.1.109 0:c:6e:67:34:16 UHLW 0 71 en2 1097
10.0.1.110 0:b:db:d6:e9:b9 UHLW 0 72 en2 1171
10.0.1.203 24.73.209.222 UH 3 4291 ppp0
10.0.1.203 0:1f:5b:fe:9b:f6 UHLS2 0 0 en2
10.0.1.255 ff:ff:ff:ff:ff:ff UHLWb 0 5 en2
24.73.209.220/30 link#4 UCS 3 0 en0
24.73.209.221 0:1c:26:2:3e:6e UHLW 51 0 en0 1190
24.73.209.222 127.0.0.1 UHS 4 1622 lo0
24.73.209.223 ff:ff:ff:ff:ff:ff UHLWb 0 18 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 59226 lo0
169.254 link#4 UCS 0 0 en0

Internet6:
Destination Gateway Flags Netif Expire
::1 link#1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 Uc lo0
fe80::1%lo0 link#1 UHL lo0
ff01::/32 ::1 U lo0
ff02::/32 fe80::1%lo0 UC lo0

Have you specified any route statements on the VPN server for internal or external subnets?

Only in Server admin for the VPN Network Routing Definition: 10.0.1.0 255.255.255.0 Private

Thanks for your help Joel.

Matthew

[skrimfid]

Any thoughts on this issue Joel?

[skrimfid]

Well I’m setting this up for a client and they only have the one system to run server on and only a single static IP. The funny thing is I’ve set this up successfully twice before and its working a-okay! Anything you can point me to would be appreciated.

Thanks!

[skrimfid]

I find it kind of ironic that Server has a built in tool to do just what your recommending against. I mean if VPN and NAT on the same box is a bad idea, why make the Gateway Setup Assistant to help set that up? Or at the very least it should issue a warning or put something in the documentation suggesting an alternate solution. My thinking anyway (for what little that is worth (certainly much less than 2 cents)).

Matthew

[Usbow]

Up…

No solutions for this problem ?

[Author]

Posts