Site-to-site VPN and Demand-dial Remote Access (June 21, 2005)
Published: July 14, 2005
Please note: Portions of this transcript have been edited for clarity
Introduction
Anne_MSFT (Moderator):
Welcome to today’s chat about “Site-to-site VPNs and demand-dial remote access.” We are pleased to welcome our experts for today. I will have them introduce themselves now.
Joe_MS (Expert):
I am Joe Davies, a technical writer in the Windows Networking and Devices Group. I was the lead author of the "Deploying Virtual Private Networks with Microsoft Windows Server 2003" Microsoft Press book.
Pawan_MS (Expert):
Hi, I am Pawan. I tester with Demand dial team
MS_Janani (Expert):
Hi, I'm Janani, a tester in the Routing and Remote Access team.
Srivats_MSFT (Expert):
Hi, I'm Srivats. I'm a developer in Routing and Remote Access Team.
Puja Pandey [MSFT] (Moderator):
Hi this is Puja. I am a tester in networking Group.
Anne_MSFT (Moderator):
We will try to answer as many questions as we can today. Participants should type their questions, click “Submit a question,” and click “Send.” Those posts will go into a private queue, from which our experts will draft answers and repost questions in the upper window with their answers. (To confirm: if you clicked “Submit a question” when you posted, you don’t need to resubmit. We’ll get to them as soon as we can before the end of the chat (11a Pacific).
Anne_MSFT (Moderator):
We will post a transcript of the upper window within a few days at http://www.microsoft.com/technet/community/chats/trans/default.mspx. Let’s begin the chat.
Start of Chat
MS_Janani (Expert):
Q: I have an Isa 2004 installed on my intranet.The client can connect into my network using VPN, but is cannot access any resource. I checked the Ip and found that it the ppp is a different subnet (255.255.255.255). The DC is in 255.255.255.0. Whats wrong?
A: Hi Fernando, this subnet mask shouldn't be a problem...Try pinging the IP of the internal adapter of the VPN server. If this passes, there is no problem in reaching the VPN server but to acess the network beyond....
If you are able to ping the server's internal adapter IP, then the problem is that you do not have proper routes configured... In this case do a pathping -n to verify where the traffic is getting dropped
Joe_MS (Expert):
Q: Why should the user name of the demand dial connection match the demand dial interface name of the remote router?
A: In order to determine if an incoming connection is a demand-dial connection (a calling router) or a remote access connection (a calling computer), the Routing and Remote Access service tries to match the account name of the incoming authentication credentials to the name of a demand-dial interface. If the account name matches a demand-dial interface, the connection is a demand-dial connection. If not, it is a remote access connection.
MS_Janani (Expert):
Fernando: you mean.. the if the vpn client can ping the network card responsible for internet connection it will work. Is it correct?
Puja Pandey [MSFT] (Moderator):
Q: I have an Isa 2004 installed on my intranet.The client can connect into my network using VPN, but is cannot access any resource. I checked the Ip and found that it the ppp is a different subnet (255.255.255.255). The DC is in 255.255.255.0. Whats wrong?
A: On the server, in the command prompt do an 'ipconfig' and note the RAS Dial-in adapter IP address. That is the IP address of the Internal adapter on the server
Puja Pandey [MSFT] (Moderator):
Q:How To Configure Nwlink LAN-to-LAN Routing Using Routing and Remote Access Service
A: Refer the KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;175640
Joe_MS (Expert):
Q: MSDN is too big...please give me some specific pointers...
A: Check out http://www.microsoft.com/technet/community/columns/cableguy/cg1001.mspx, http://technet2.microsoft.com/WindowsServer/en/Library/74f65f37-9482-4316-a2e9-4e1e295457d71033.mspx, and http://www.microsoft.com/windows2000/server/evaluation/features/deplyr2rvpn.asp.
Srivats_MSFT (Expert):
Q: where can I learn more about how to deploy site to site VPN connections
A: You can learn about Site to Site VPN from this link: http://technet2.microsoft.com/WindowsServer/en/Library/74f65f37-9482-4316-a2e9-4e1e295457d71033.mspx
Puja Pandey [MSFT] (Moderator):
Q: How to Implement RIP over RRAS in Windows 2000
A: Refer KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;241545 This article discusses how to implement NetWare Router Information Protocol (RIP) over Microsoft Routing and Remote Access Service (RRAS) Dial-on-Demand (DOD) connections in Windows 2000.
Puja Pandey [MSFT] (Moderator):
Q: Proxy Clients Time-Out Using RRAS Demand Dial.
A: Refer to KB Article http://support.microsoft.com/default.aspx?scid=kb;en-us;246198 When you install RRAS and IIS Proxy Server on a Windows NT 4.0 Server, and you use RRAS Demand Dial instead of Proxy's Demand Dial. Proxy clients may timeout on the *first* attempt to connect to a resource across the demand-dial link.
MS_Janani (Expert):
Q: I also tried to used RRAS. Installing it on Domain Controller and accessing it from ISA. But a strange result was reached. After this The ISA server could not be able to access active directory
A: Please refer to the following KB article if you have RRAS+ISA and a domain controller on the same machine http://support.microsoft.com/kb/292822/en-us
Srivats_MSFT (Expert):
Q: What is the difference between "Site to Site VPN" and "Demand Dial" connection?
Puja Pandey [MSFT] (Moderator):
Q: Demand Dialing Cannot Be Triggered with NAT If There Is a Destination Port Number in a Filter?
A: Refer KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;296529 If you configure network address translation (NAT) on a Windows 2000-based server, the Demand-dial interface cannot be initialized with a destination TCP port number from a client computer that is connected to the private local area network (LAN).
Joe_MS (Expert):
Q: When I have a 2 way Demand Dial connection between HeadQuarters(HQ) and BranchOffice(BO), Is there a way to ensure that the connection is always triggered from the HQ?
A: Yes, by configuring the demand-dial interface on the BO router to never initiate a demand-dial connection. You can do this two ways: 1. By configuring demand-dial filters so that no traffic can initiate the connection, 2. By configuring dial-out hours so that at no time can the BO router initiate the connection. You can configure IP demand-dial filters and dial-out hours from the context menu (right-click) of the demand-dial interface in the Routing and Remote Access snap-in on the BO router.
Pawan_MS (Expert):
Q: I am evaluating Cisco's Dynamic Multipoint VPN and I think it is cool. Does Microsoft have a competitive solution? Can I setup something like this using Microsoft RRAS?
A: More information on Demand dial VPN is available at: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch3_08.asp and http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch3_09.asp The admin would need to configure a demand dial connection from each branch office to another branch office as per the topology he desires and then define the routes that are reachable on this demand dial connection. When a packet is received by the VPN server that need routing thru the demand dial connection, the VPN connection is established and the packet routed. When there is no data for a admin specified duration, the VPN connection is torn down.
Srivats_MSFT (Expert):
Q: What is the difference between "Site-to-Site VPN" and "Demand Dial"?S
A: They are used interchangeably in loose terms. Demand dial is a special case in the Site-to-Site VPN and used when you want the connection to be triggered when you have some packets to the remote network. Site-to-site VPN can also be configured to have the connection to the remote router "always up" to make it persistent.
MS_Janani (Expert):
Fernando, Can you please explain your problem a little more clearly? Can you ping the VPN server's internal IP from the VPN client by IP?
Anne_MSFT (Moderator):
Q: I'm trying to setup the WinXP PC #1 and modem to auto-answer an incoming call from WinXP PC #2 and permit the caller to control the WinXP PC #1's desktop. How do I get RD to associate itself with a modem connection and auto-answer the call on PC #1?
A: Your question is a bit outside the scope of this chat, but you might try posting it to the newsgroup at http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=microsoft.public.windowsxp.network_web&lang=en&cr=US or the Expert Zone chat room http://www.microsoft.com/windowsxp/expertzone/chats/chatroom.aspx. Thanks.
MS_Janani (Expert):
Q: and you mean Internal IP is the another card (the intranet card) that is not connected into internet ?
A: yes. It is the virtual IP which RRAS server gets as soon as a client is connected to it. When you do an 'ipconfig' you will see it under 'RAS Dial-in Adapter'
Puja_MSFT (Moderator):
Q: Dial on Demand Works but Connections to the Internet Do Not.
A: Refer the KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;183170 Dial on Demand (DOD) functions properly, but connections to the Internet do not complete successfully.
Anne_MSFT (Moderator):
Q: Hola..Alguien me podria decir como resuelvo este problema....las paginas seguras "Security web Pages" no me estan abriendo...debo reistalr el windows or hay otra forma de resolverlo..? gracias
A: This chat is in English and about remote access, but you might try posting your question in the Expert Zone chat room http://www.microsoft.com/windowsxp/expertzone/chats/chatroom.aspx or (in Spanish) http://www.microsoft.com/communities/chats/chatrooms/spanish.aspx. Thanks.
MS_Janani (Expert):
Q: have a issue. I have two servers. 1 for ISA and another for domain controller... I would like to know if I should instal the client of iSA on the ISA server, to allow the server to connect properly on the intranet
A: Fernando, can you please clarify your question with the topology? What role does the ISA server play? Is it acting as the VPN server. Also is it the problem to reach the intranet from the server itself or only after the client connects to the server?
MS_Janani (Expert):
Q: and you mean Internal IP is the another card (the intranet card) that is not connected into internet ?
A: Yes. Its the virutal IP which vpn server gets after client connects.
Anne_MSFT (Moderator):
Users foder: this chat is about remote access. Please take your question to the newsgroups or the Expert Zone chat room ( http://www.microsoft.com/windowsxp/expertzone/chats/chatroom.aspx). Thanks.
Puja_MSFT (Moderator):
Q: Domain Name System Zone Transfer May Not Work Over Dial-On-Demand Connection
A: A Domain Name System (DNS) zone transfer over a dial-on-demand (DOD) connection may not work. This problem may occur under any of the following situations: When you create a secondary zone. See KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;232186
Srivats_MSFT (Expert):
Q: Janini.. Is it possible to simulate a VPN connection being on intranet?
A: Fernando, Can you eloborate on why you need to initiate a VPN connection from the intranet? This is possible as long as you can route packets from the client to the VPN Server.
Puja_MSFT (Moderator):
Q: How to Use OSPF with RRAS Demand-Dial and VPN Connections?
A:http://support.microsoft.com/default.aspx?scid=kb;en-us;200834 This article describes how to implement Open Shortest Path First (OSPF) over Routing and Remote Access Services (RRAS) Dial-on-Demand (DOD) connections.
MS_Janani (Expert):
Q: Yes Janani.. It isa acting as a VPN server.. I believe only the VPN clients have proble to access the internal network
A: Can you access the internal network from the vpn server? If yes can you access the internal resources from the vpn clients using IP address. If yes, then its a name resolution issue. If not it is an IP routing issue.
Puja_MSFT (Moderator):
Q: Why Demand-Dial Interface with Multiple Modems Hangs If No Modems Are Functioning?
A: See KB http://support.microsoft.com/default.aspx?scid=kb;en-us;309478 When you use the Routing and Remote Access feature of Windows 2000 to create a demand-dial interface that is associated with multiple modems, and you select the Dial Only First Available Device option, the demand-dial interface may remain in a in a connecting state (hang) indefinitely if none of the modems are functioning. You do not receive any error message.
MS_Janani (Expert):
Fernando, as time is running out now, please check up all the above points and if your problem is still not solved, you can post your queries in the newsgroup microsoft.public.win2000.ras_routing
Srivats_MSFT (Expert):
Q: Is there a white paper on how to simulate a vpn on an intanet?...thanks
A: There is nothing special about VPN on intranet. If you can route packets from client to VPN Server, this should just work fine. You can check the following link on Deploying Remote Access VPN: http://technet2.microsoft.com/WindowsServer/en/Library/7159a5cd-530b-4b8f-b54a-9a8adfdeac1b1033.mspx
Joe_MS (Expert):
To simulate VPN connections in a test lab configuration, see the "Step-by-Step Guides" section of http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx.
Anne_MSFT (Moderator):
Thank you for joining us today to chat about “Site-to-site VPNs and demand-dial remote access.” We will post the transcript of the upper window for this chat in a few days at http://www.microsoft.com/technet/community/chats/trans/default.mspx.