Re: Win2k Ras/VPN and a SCO Unix Machine and some difficulty getting to the SCO Machine [LONG]
- From: "Bob Bailin" <72027.3605@xxxxxxxxxxxxxx>
- Date: Mon, 13 Feb 2006 19:41:30 GMT
"Brian Keener" <bkeener@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:VA.000012bd.007a2e42@xxxxxxxxxxxxxxxxxxxxxxxx
First let me say I am sorry for the length of this but I wanted to provideas
much info as possible. I have a client that has a Compaq system runningSCO
Unix 5.0.7 system in conjunction with a Win2k System providing VPN access.they
#uname -X
System = SCO_SV
Node = theirnode
Release = 3.2v5.0.7
KernelID = 2003-02-18
Machine = Xeon
BusType = ISA
Serial = XXXXXXXXXXX
Users = 30
OEM# = 0
Origin# = 1
NumCPU = 1
The bulk of their processing is done via dumb terminal connections but
also have a few in-house workstations connected via ethernet and then DSLDSL/Broadband
access via Windows VPN. There is a Netopia DSL modem, a Linksys
hub (acting as a Hub, router and gateway), a Linksys wireless Access Pointand
a Windows 2000 system which is the VPN Server and also handles some DNSas
functions. The Windows 2k machine has 2 NICS - one classed as WAN and one
LAN but they are on the same subnet (as you will see). Our problem isthat
while the internal network connections all work flawlessly the connectionsvia
the VPN are really a hit and miss sort of thing. It always seems and mybox and
testing seems to confirm that we can get to the VPN server on the Win2k
get an IP address (using DHCP via the VPN) but then we will only be ableto
ping the NIC cards the Win2k machine possesses or the Linksys routers(which we
had to go through to get to the VPN Box anyways) but our access to the SCOUnix
box will fail while trying to connect - pings will fail as well. As I sayit
is hit and miss - sometimes connecting to SCO works without a hitch butthen
others it seems there are either extensive pauses or no connect at all.It
seems we can always see the Win2k machine and when attempting to reach theSCO
machine if it fails - several attempts (full disconnect and reconnect)will
ultimately get you in. It also seems as if we can ping one of the Win2kNIC but
not the other - this I wonder as well if it is because they are on thesame
subnet.I
The entire network is currently setup to run on the 192.168.1. subnet but
have gotten several opinions and found some research indicating that forthe
entire network to be on the one subnet with the type configuration theyhave is
a poor setup and that it should be broken into 2 or more subnets becauseof the
VPN, the Wireless DHCP connections and the internal fixed IP addresses.The
following network configuration and IP addresses will I think make thisclear
to many of you who are more network savvy than we are why we are into thatwhich
thought process. We also found several Microsoft Knowledge Base articles
seem to confirm issues with VPN when used with DNS and DHCP on the sameserver
in a Microsoft environment when all the devices are on the same subnet.(the VPN
The clients network configuration is as follows and except where noted
on the Win2k machine) all Network setup uses a netmask of 255.255.255.0:is a
DSL line into Netopia/Cayman 3347W modem
Ethernet from modem to Linksys BEFSR11 wired router (192.168.1.254) this
two port device - one port for the WAN in and one for Ethernet out.Gateway
mode, handles DHCP requests for the network (Range 192.168.1.100 for 50ports)
and also acts as DNS with its DNS set to itself.This
Ethernet from router to Linksys BEFW11S4 wireless router (192.168.1.250)
is a 4 port device - one port for the wan and 4 for ethernet. Gatewaymode.
DNS set to point to .254.and
Ethernet from wireless router to HPJ3289A hub
SCO Unix machine (192.168.1.245) is connected to hub, Gateway set to .254
uses resolv.conf for DNS and also pointing at .254.and
Both NICs on the Windows 2k machine connected to hub:
192.168.1.252 LAN Uses a gateway of .254 but set to use itself for DNS.
192.168.1.253 WAN Uses .254 for the Gateway and for DNS
192.168.1.192 is the target IP for the VPN with a mask of 255.255.255.224
the range of VPN IP addresses is from 192.168.1.200 to 192.168.1.219 withthe
200 being reserved for the VPN Server IP. I noticed the target IP inresearch
Microsoft VPN during a check of their configuration and after some
using various subnet calc programs it appears that that IP is chosenbecause it
it the low address in the subnet range we requested for the VPN. Itappears
Windows bases the target IP and netmask on our selected range of a startand
end of 192.168.1.200 to 192.168.1.219 - not sure why this is or how itimpacts
the setup but that is what it does and as I say the numbers do appear to
coincide with making a small network (subnet) within the larger 192.168.1
network.
Try changing the subnet mask for the VPN to 255.255.255.0 .
Now all VPN addresses will be able to reach any other address in 192.168.1.x
,
assuming you've set that option on the Win2K VPN server.
problem and
I am told that both the WAN and the LAN NIC on the same subnet is a
it makes sense to me why it would be - not sure why it was set up this wayin
the first place. I also imagine the LAN NIC set to use itself for DNS isconfusing.
probably also a problem and the VPN on the same subnet could also be
machine
My apologies but I honestly cannot remember which but one of the Linksys
devices handles the port forwarding to get the VPN traffic to the Win2k
as it needs to be but I know one is set for port forwarding and they areboth
capable.(.254) and
As I said at times you can access (IE Ping for testing ) the Linksys
one of the Windows WAN (.253) and LAN (.252) but you cannot get to the SCOconnected
Machine (.245) and then at times all is well. Now I have also been
via the VPN when I cannot connect to the SCO machine and called someoneon-site
and had them ping the SCO machine from the Windows Server and the ping istalking but
successful so the Windows 2k machine and SCO Unix Machine are still
it appears the VPN is failing. Obviously I think the problem is with theVPN
software and research of Microsoft Knowledge Base articles would seem tobeing
confirm that. There are several articles that reference Windows machines
the PDC and doing DNS and VPN and using a subnet within the existingsubnet
("On Subnet"). According to Knowledge base article 171185 from Microsofthaving
an "On Subnet" Vpn is acceptable. It also mentions that this is commonlyHowever
accomplished by letting VPN IP addresses be handed out using DHCP.
there also appears to be connection issues when the Windows serverhandling VPN
is also a DNS server or the PDC (Primary Domain Controller). According tobeen
Microsoft Knowledge base articles 292822, 830063 and 289735 there have
various types of connection issues when the above is true. Among otherchange
suggestions (some involving the registry) there is also one advising to
the IP Static Address range for the VPN to an "Off Subnet" network. Thisis in
some cases part of a larger fix and in one of the Articles it was actuallyan
alternate fix.reassign
Two thoughts I had on eliminating some of the potential problem was 1)
the DHCP range to the 150 range or so and put the VPN below it at 100 or50 or
something and then we can reassign netmasks on the rest of the network sowe
end up with two subnets not one inside the other - all the dhcp and vpn ona
low subnet and the servers on a high subnet. Since our servers androuters are
at the high end this would allow two subnets but it would also require aalso
netmask change on the SCO machine - that I am not thrilled with. 2) I had
thought about simply moving the VPN to say the 192.168.2.200 to192.168.2.219
subnet and see if that helps but then I am sure I will run into routingissues
getting connections to and from the SCO Unix box to the VPN Connectionssince
Windows will probably not handle the routing between its own VPN and itsLAN
NIC which would be on 192.168.1. I have also thought that in addition tothat
I would move the WAN NIC of the Windows machine and the Linksys Routerswill now
(actually only one and loose the other - we do not need them both) to the
192.168.3 subnet but then that really compounds my routing issues as I
have 3 subnets but my thoughts on this from what I have read is that thisis
the best way to go.the WAN
I had thought I would attempt the VPN change first (#2 above) and then
depending on the results I would consider (if still necessary) changing
NIC and the Linksys Router and changing my routes and Gatewaysaccordingly. I
really am trying to stay away from mucking with the SCO IP addresses andappropriate
netmask.
I am hoping someone can offer some further insight as to the most
changes to make and what routes I need or someplace I can go to researchhow
you determine routes and then I would also like some discussion on their
network setup as a whole and how to improve or eliminate these glitches.
Thanks to all for any suggestions , insight, and info.
Bob
.
- Follow-Ups:
- References:
- Prev by Date: Win2k Ras/VPN and a SCO Unix Machine and some difficulty getting to the SCO Machine [LONG]
- Next by Date: Re: inittab
- Previous by thread: Win2k Ras/VPN and a SCO Unix Machine and some difficulty getting to the SCO Machine [LONG]
- Next by thread: Re: Win2k Ras/VPN and a SCO Unix Machine and some difficulty getting to the SCO Machine [LONG]
- Index(es):
Relevant Pages
|
