L2TP/IPSEC SITE TO SITE VPN Issues

Hello,
I currently have two vpn servers with Windows 2003 Server R2. One is a
VM Machine while the other is a physical server. Each server has one
nic configured with a local ip assigned. The main site has port
fowarding enabled directed at the vpn server and has local network id
of 192.168.1.0. The remote site has port fowarding enabled directed at
the remote vpn server and has local network id of 192.168.2.0. All
certicates are installed on each machine and the demand dial interface
is up and running. From the main site vpn server i can access the
remote network resources and vice versa. The problem i have is that
these two servers are the only ones that communicate with each other.
For example, on one of the main site computers i try to ping the other
network and i get no response nor can i access shares. Like i said
before, each server has one nic installed and have direct access to
their perspective networks. There are no permitter networks on each
side. The basic network setup is router with port fowarding of UDP 500
and UDP 4500 ports to the vpn routers. What i want is for every
computer on both networks to be able to acess each others resources. I
suspect it's because i have one nic installed on each vpn server and
routing. On both demand dials i set up static routes pointing to the
other network IDs. Can you guys please help?

Thanks

Have you enabled IP routing? Or use tracert to find out where the traffic
stops.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"JoeyG 2391" <joel.escutia@gmail.com> wrote in message
news:770c35ab-2d6d-4903-887d-4dffe8ff9a75@c60g2000hsf.googlegroups.com...
> Hello,
> I currently have two vpn servers with Windows 2003 Server R2. One is a
> VM Machine while the other is a physical server. Each server has one
> nic configured with a local ip assigned. The main site has port
> fowarding enabled directed at the vpn server and has local network id
> of 192.168.1.0. The remote site has port fowarding enabled directed at
> the remote vpn server and has local network id of 192.168.2.0. All
> certicates are installed on each machine and the demand dial interface
> is up and running. From the main site vpn server i can access the
> remote network resources and vice versa. The problem i have is that
> these two servers are the only ones that communicate with each other.
> For example, on one of the main site computers i try to ping the other
> network and i get no response nor can i access shares. Like i said
> before, each server has one nic installed and have direct access to
> their perspective networks. There are no permitter networks on each
> side. The basic network setup is router with port fowarding of UDP 500
> and UDP 4500 ports to the vpn routers. What i want is for every
> computer on both networks to be able to acess each others resources. I
> suspect it's because i have one nic installed on each vpn server and
> routing. On both demand dials i set up static routes pointing to the
> other network IDs. Can you guys please help?
>
> Thanks

yes, i enabled ip routing on both servers. The tracert goes to my
router and then timesout.

Thanks

On Oct 16, 2:20*pm, "Robert L. \(MS-MVP\)" <findem...@chicagotech.net>
wrote:
> Have you enabled IP routing? Or use tracert to find out where the traffic
> stops.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting onhttp://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access onhttp://www.HowToNetworking.com"JoeyG 2391" <joel.escu...@gmail.com> wrote in message
>
> news:770c35ab-2d6d-4903-887d-4dffe8ff9a75@c60g2000hsf.googlegroups.com...
>
>
>
> > Hello,
> > I currently have two vpn servers with Windows 2003 Server R2. One is a
> > VM Machine while the other is a physical server. Each server has one
> > nic configured with a local ip assigned. The main site has port
> > fowarding enabled directed at the vpn server and has local network id
> > of 192.168.1.0. The remote site has port fowarding enabled directed at
> > the remote vpn server and has local network id of 192.168.2.0. All
> > certicates are installed on each machine and the demand dial interface
> > is up and running. From the main site vpn server i can access the
> > remote network resources and vice versa. The problem i have is that
> > these two servers are the only ones that communicate with each other.
> > For example, on one of the main site computers i try to ping the other
> > network and i get no response nor can i access shares. Like i said
> > before, each server has one nic installed and have direct access to
> > their perspective networks. There are no permitter networks on each
> > side. The basic network setup is router with port fowarding of UDP 500
> > and UDP 4500 ports to the vpn routers. What i want is for every
> > computer on both networks to be able to acess each others resources. I
> > suspect it's because i have one nic installed on each vpn server and
> > routing. On both demand dials i set up static routes pointing to the
> > other network IDs. Can you guys please help?
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -

on the vpn servers it works perfectly just not the client. I think
the client clients need to point to the vpn server for gateway but
that will disable internet access.

On Oct 16, 2:20*pm, "Robert L. \(MS-MVP\)" <findem...@chicagotech.net>
wrote:
> Have you enabled IP routing? Or use tracert to find out where the traffic
> stops.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting onhttp://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access onhttp://www.HowToNetworking.com"JoeyG 2391" <joel.escu...@gmail.com> wrote in message
>
> news:770c35ab-2d6d-4903-887d-4dffe8ff9a75@c60g2000hsf.googlegroups.com...
>
>
>
> > Hello,
> > I currently have two vpn servers with Windows 2003 Server R2. One is a
> > VM Machine while the other is a physical server. Each server has one
> > nic configured with a local ip assigned. The main site has port
> > fowarding enabled directed at the vpn server and has local network id
> > of 192.168.1.0. The remote site has port fowarding enabled directed at
> > the remote vpn server and has local network id of 192.168.2.0. All
> > certicates are installed on each machine and the demand dial interface
> > is up and running. From the main site vpn server i can access the
> > remote network resources and vice versa. The problem i have is that
> > these two servers are the only ones that communicate with each other.
> > For example, on one of the main site computers i try to ping the other
> > network and i get no response nor can i access shares. Like i said
> > before, each server has one nic installed and have direct access to
> > their perspective networks. There are no permitter networks on each
> > side. The basic network setup is router with port fowarding of UDP 500
> > and UDP 4500 ports to the vpn routers. What i want is for every
> > computer on both networks to be able to acess each others resources. I
> > suspect it's because i have one nic installed on each vpn server and
> > routing. On both demand dials i set up static routes pointing to the
> > other network IDs. Can you guys please help?
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -

"JoeyG 2391" <joel.escutia@gmail.com> wrote in message
news:48feef11-ba17-41a2-879b-38a318f159a5@r66g2000hsg.googlegroups.com...
> on the vpn servers it works perfectly just not the client. I think
> the client clients need to point to the vpn server for gateway but
> that will disable internet access.
>
That is correct. If you set the client default gateway to the VPN server,
site to site routing will work but Internet access will fail. The VPN point
to point link is from RRAS router to RRAS router.

What you need to do is add a static route to the gateway router to
redirect the the private traffic to the VPN router. The packets must go to
the VPN router before they reach the gateway router to be encrypted and
encapsulated. If a private address packet goes directly to the gateway
router it will be discarded (because the Internet will not allow private
addresses).

On each gateway router install a static route to redirect traffic for the
"other" site's private subnet to the VPN router. All other traffic will go
out through the gateway. VPN traffic will be bounced to the VPN router
first.

Check my answer on this link: L2TP/IPSEC SITE TO SITE VPN Issues
http://www.chicagotech.net/netforums...hp?p=8175#8175

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"JoeyG 2391" <joel.escutia@gmail.com> wrote in message
news:53a05ca2-c64b-4591-95c0-288462956fc0@j68g2000hsf.googlegroups.com...
yes, i enabled ip routing on both servers. The tracert goes to my
router and then timesout.

Thanks

On Oct 16, 2:20 pm, "Robert L. \(MS-MVP\)" <findem...@chicagotech.net>
wrote:
> Have you enabled IP routing? Or use tracert to find out where the traffic
> stops.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting
> onhttp://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access
> onhttp://www.HowToNetworking.com"JoeyG 2391" <joel.escu...@gmail.com>
> wrote in message
>
> news:770c35ab-2d6d-4903-887d-4dffe8ff9a75@c60g2000hsf.googlegroups.com...
>
>
>
> > Hello,
> > I currently have two vpn servers with Windows 2003 Server R2. One is a
> > VM Machine while the other is a physical server. Each server has one
> > nic configured with a local ip assigned. The main site has port
> > fowarding enabled directed at the vpn server and has local network id
> > of 192.168.1.0. The remote site has port fowarding enabled directed at
> > the remote vpn server and has local network id of 192.168.2.0. All
> > certicates are installed on each machine and the demand dial interface
> > is up and running. From the main site vpn server i can access the
> > remote network resources and vice versa. The problem i have is that
> > these two servers are the only ones that communicate with each other.
> > For example, on one of the main site computers i try to ping the other
> > network and i get no response nor can i access shares. Like i said
> > before, each server has one nic installed and have direct access to
> > their perspective networks. There are no permitter networks on each
> > side. The basic network setup is router with port fowarding of UDP 500
> > and UDP 4500 ports to the vpn routers. What i want is for every
> > computer on both networks to be able to acess each others resources. I
> > suspect it's because i have one nic installed on each vpn server and
> > routing. On both demand dials i set up static routes pointing to the
> > other network IDs. Can you guys please help?
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -