Unable to ping the tunnel address of a Demand Dial Connection on Windows Server 2008 RRAS

re: Unable to ping the tunnel address of a Demand Dial Connection on Windows Server 2008 RRAS

Ben Benson — Sat, 30 Jan 2010 05:23:07 GMT

Thank you very much for the solution. It is the only one I have found. We have 12 Windows 2003 vpn servers and there is a need to upgrade the hardware as well as the OS. This solution will allow us to do that within our budget.

re: Unable to ping the tunnel address of a Demand Dial Connection on Windows Server 2008 RRAS

Jon Redwood — Mon, 30 Nov 2009 09:51:17 GMT

SBS setup wizard disables the second NIC as an unsupport senario, How's that for logic!

re: Unable to ping the tunnel address of a Demand Dial Connection on Windows Server 2008 RRAS

peterdoo — Thu, 29 Jan 2009 02:43:44 GMT

The explanation for the reason why the route should not be added automatically by Windows 2008 (security) is completelly wrong here.

Using 2 or 1 NICs does not change anything. The problem is not that anybody from corp9.local would like to access the resources on the RRAS1 server (normally nobody even knows the IP that RRAS2 assigns to RRAS1).

The real problem is that RRAS1 Server itself has to access resources inside corp9.local behind the server RRAS2 (either it has to contact AD servers there, deliver e-mail by SMTP, replicate DFS folder, RDP,...). As soon as that is necessary RRAS1 will always initiate the IP connection to corp9.local subnet using as source IP its IP from corp9.local subnet that was assigned to it by RRAS2. However as RRAS2 has not added the route to that IP nobody from corp9.local can reply to RRAS1. So RRAS1 is not able to contact corp9.local subnet even though it has a route to there available.

So the "feature" that should prevent using resources on RRAS1 from the other side actually prevents RRAS1 of accessing resources on the other side. What was intended to be prevented is however still possible. Anybody from the other side of DoD connection can access resources on RRAS1 using its normal fixed IP inside of the corp1.local subnet (192.168.1.30 in the example above).

No security improvement at all but many problems caused.

This is like saying that nobody will enter into my house through the garden door so I will make the door in the way it will not be possible to enter there. OK, but I like to go out to the garden through that door. Now that the door is shut down for entry, as soon as I go out I can not return into my house anymore.

I hope that the automatic addition of route can be implemented again. Alternativelly Windows 2008 could be teached to never use the IP assigned by another RRAS server as source IP in TCP/IP communications.

BlogMS Weekly Articles Published – 3rd November 2008 to 9th November 2008

BlogMS - Official Microsoft Team Blogs — Mon, 10 Nov 2008 12:45:46 GMT

203 Microsoft Team blogs searched, 88 blogs have new articles in the past 7 days. 252 new articles found

Unable to ping the tunnel address of a Demand Dial Connection on Windows Server 2008 RRAS | MS Tech News

Fri, 07 Nov 2008 20:51:25 GMT

PingBack from http://mstechnews.info/2008/11/unable-to-ping-the-tunnel-address-of-a-demand-dial-connection-on-windows-server-2008-rras/