Define encryption domain / interesting traffic on windows VPN

S

syntax

Executive Member
Joined
May 16, 2008
Messages
9,523
Reaction score
1,643
Location
jozi
Ok, firstly, it has to use the windows VPN component.
OPen vpn etc cannot be loaded.

I need to define interesting traffic / encryption domain on this server.
The tunnel creates between the two servers, no issue.
I have a one way NAT in between them.
So the tunnel establishes as example:

Server A: Firewall Server B:
10.0.0.1 NAT 10.0.0.1 -> 172.16.0.1 192.168.0.1


When A initiates to B, traffic flows from A to B.
B Cannot connect to 10.0.0.1, because it sees 172.16.0.1. and does not know to send 10.0.0.1 through the tunnel.

I need to specify 10.0.0.1 traffic must go through the tunnel...
how do you do this?

Anyone?
 
So far I only have two ideas.
1. Create virtual interface on the server, use this as a VTI for the tunneling.

2. I found something which suggests you can route the network to the Nat'd ip of the other termination point. What bothers me about this, is how does the server know to encrypt this traffic, and not just send it out. I guess that it might have some kind of application intelligence which will see the route, wonder how the hell it should get there, realise it has a tunnel to that ip, and send it through the tunnel..

Will let guys test and see what happens...MS tunneling sucks
 
Sigh..

The MS guys, after me insisting there must be someway to define the encryption domain, eventually found it out that you can do it in the policies.
 
Are you using Windows 2003 RRAS?

Configure the other site to dail in to the IP given to the server from the other server.

example site A: Server IP with DHCP 10.0.0.1
Site B with IP 172.0.0.1 connects via VPN to Server on site A and gets an IP from Site A 10.0.0.5
Create another connection on Site A to VPN into 10.0.0.5

Add static route in RRAS..

Server @ A: IP 172.0.0.0, Subnet 255.255.255.0 route over the VPN interface.
Server @ B: IP 10.0.0.0, Subnet 255.255.255.0 route over the VPN interface.

Under the NAT and FIREwall config tab.

Add the VPN connections on both the servers and enable NAT
 
passive said:
Are you using Windows 2003 RRAS?

Configure the other site to dail in to the IP given to the server from the other server.

example site A: Server IP with DHCP 10.0.0.1
Site B with IP 172.0.0.1 connects via VPN to Server on site A and gets an IP from Site A 10.0.0.5
Create another connection on Site A to VPN into 10.0.0.5

Add static route in RRAS..

Server @ A: IP 172.0.0.0, Subnet 255.255.255.0 route over the VPN interface.
Server @ B: IP 10.0.0.0, Subnet 255.255.255.0 route over the VPN interface.

Under the NAT and FIREwall config tab.

Add the VPN connections on both the servers and enable NAT
Click to expand...

Trust needs to be established both ways between the servers.
I tried to ask them to just add another ip on the interface, but multi homing is apparently not allowed on a DC.

In any case, I have given up trying to help the MS guys with this.
Thanks for the reply though!
 
Let me try and rephrase if you dial a VPN connection into a RRAS server you get an IP from that server for that interface. Use that IP on the other server to dial into that interface.

I know this is not the right way but it works.

Network A / Server A, external - IP 196.215.14.1 dails into Network B / Server B, external – IP 196.213.54.12 and gets IP 192.168.1.6 (make this static) from Server B

On Network B / Server B dial into 192.168.1.6

Setup NAT

Done
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X