Setup:
L2TP VPN Server on a Windows Server 2008 machine which is behind a router, which is behind a modem/router.
Modem/Router (IP: 192.168.2.1, Subnet: 255.255.255.0, DHCP serves 192.168.2.2 to router)
—-|_ Router (IP: 192.168.2.2, Subnet: 255.255.255.0, Sub LAN IP: 192.168.0.1, Sub LAN Subnet: 255.255.255.128, DHCP serves 192.168.0.* to computers)
————|_ Windows Server 2008 (IP: 192.168.0.3, Subnet: 255.255.255.128, serves VPN IP address from pool…192.168.0.130 – 192.168.0.140)
The router sets WS2008 as the primary DNS, WS2008 forwards queries back to router for failures. See this post for clarification.
I can connect to the VPN just fine, this is the result of ipconfig:
PPP adapter Work VPN:
Connection-specific DNS Suffix . : ss
Description . . . . . . . . . . . : Work VPN
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.130(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.3
192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
The odd thing is what happens when I look at the gateway for the vpn connection. It's set to 192.168.0.129. I'm new to routing so I don't know what is good/bad when looking at the results of route print. I put XXX.XXX.XXX.XXX in place of my public IP.
===========================================================================
Interface List
24...........................Work VPN
16...00 02 76 09 4b b7 ......Bluetooth Device (Personal Area Network)
14...f4 6d 04 d2 59 74 ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
10...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
XXX.XXX.XXX.XXX 255.255.255.255 192.168.1.1 192.168.1.2 11
192.168.0.0 255.255.255.0 192.168.0.129 192.168.0.130 11
192.168.0.130 255.255.255.255 On-link 192.168.0.130 266
192.168.1.0 255.255.255.0 On-link 192.168.1.2 266
192.168.1.2 255.255.255.255 On-link 192.168.1.2 266
192.168.1.255 255.255.255.255 On-link 192.168.1.2 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.2 266
224.0.0.0 240.0.0.0 On-link 192.168.0.130 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.2 266
255.255.255.255 255.255.255.255 On-link 192.168.0.130 266
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
11 58 ::/0 On-link
1 306 ::1/128 On-link
11 58 2001::/32 On-link
11 306 2001:0:9d38:6ab8:880:caa:e7c6:9416/128
On-link
14 266 fe80::/64 On-link
11 306 fe80::/64 On-link
11 306 fe80::880:caa:e7c6:9416/128
On-link
14 266 fe80::8184:12a1:9307:968a/128
On-link
1 306 ff00::/8 On-link
11 306 ff00::/8 On-link
14 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
The IPs 192.168.1.* are from the client network (the computer I'm using VPN on to connect to the remote VPN). Shouldn't this route (192.168.0.0 255.255.255.0 192.168.0.129 192.168.0.130) be on subnet 255.255.255.128 or am I missing something with regards to routing and VPN?
NAT is active on both the modem and router. I'm not sure what part this has to play with regards to security/connectivity and what I should do with it. Ports 500, 1701, 4500 are forwarded on the router to 192.168.0.3 which is I'm guessing why I can connect in the first place. The router is set to be DMZ on the modem. L2TP passthrough is enabled on the router (no option for this on the modem). SPI firewall is enabled on router. Again, I don't know if this affects anything.
I get a request timeout when attempting tracert to 192.168.0.3. I also cannot even ping the VPN gateway. The VPN server cannot ping the assigned ip address of the client.
I hope this information helps, I can't think of anything else to mention at the moment. To summarize my problem, I can connect to the VPN but I can't do anything when I'm in. No ping, no DNS, no access via computer names, nothing.
Best Answer
Turns out the clients can connect and routing is fine, but the client was being quarantined by NPS (Network Policy Server). Originally I had installed NPS and then uninstalled it during troubleshooting. Only when reinstalling it do I see the RRAS logs mentioning that the client has been quarantined. The client had the 'VPN Non-NAP Capable' status and the policy with regards to that status was to provide limited network access, not full network access. I changed the policy and it's working now.
Another issue might have been my subnet mask. IP addresses beyond .127 would not be able to communicate with IP's below .128 due to the subnet mask 255.255.255.128 even though the subnet (192.168.0.*) and subnet mask (255.255.255.128) were the same.