Sign in with
Sign up | Sign in
Your question

Active Directory over RV042 VPN connection not working?

Last response: in Networking
Share
February 2, 2009 7:58:49 PM

Hello everyone,



I am working wit the owner of a business with two store locations. At one store location is a windows Small Business Server. I have two RV042 routers, one at each location. I have set up a Gateway-to-Gateway VPN between the two locations which seems to be working fine. I'm able to ping the server from the other location and all that good stuff.

However when I try to add a computer to my domain it simply won't work. I always get the error "A domain controller for the domain MainLocation could not be contacted."

"The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)"

Again, I'm able to ping the server, so at this point I had to take a step back and think. I took down the firewall for both routers with no luck, still same results.

I really would like to try and figure this out, does anyone have any suggestions? I really can't figure it out if I can ping the server, but it's not a firewall issue.

I appreciate your time and consideration
February 4, 2009 3:14:53 AM

Your GW-GW VPN connection works fine since ping works between 2 sites.

The problem is most likely DNS and/or WINS resolution. Imagine within only 1 LAN, clients within that LAN used to resolve DNS/WINS through DNS/WINS server dedicated for that LAN. The problem arises when the same client try to resolve a name from LAN 2; it will try to resolve through the same DNS1/WINS1 instead of sending it through the tunnel to DNS2/WINS2.

I guess what you can do is either synchronize databases of those servers or have only one set of DNS/WINS servers and everybody resolve through the same set.

February 4, 2009 3:48:15 AM

Additional thoughts I just came up:

I do not know Active Directory; you decide what needs to be done. Here is another gotcha about IPSec; it can only encrypt unicast traffic. If some AD traffic uses broadcast, it will never go over the tunnel since IPSec can't encrypt it. The solution is you need to set up a GRE tunnel between gateways, see below pic. GRE is unicast type but can carry unicast, broadcast, and multicast.


all LAN traffic <---> GRE tunnel <---> IPSec tunnel <--------Internet--------> (duplicate the other side here)
Related resources
February 5, 2009 4:22:22 AM

Ok, so I got the LAN working over at the first location working great! Here's a better explanation of everything.

The router I'm using is a VPN router, which allows up to 50 connections. I have a second store location with a couple computers that I would like to get completely running using the server. I'm just a little scared on how I'll do this! I've had the VPN up and running before, and was able to do normal file sharing between stores, but I'd like them to access the server's shares.

In order for the Gateway-to-Gateway VPN to work I need to have both stores on different subnets so the routers can connect to one another.

So what I'm wondering is, if I go to the second store and turn off DHCP and /release everything over there, will they be able to to connect to the server over the GtG VPN? Would I need to define a new scope for the DHCP in order to get these computers on the Active Directory? (For example everything at the main store is 192.168.1.x, should I add a new scope for the second store in the DHCP server such as 192.168.2.x?)

Perhaps I can just keep the VPN router over there on 192.168.2.1 in order for the VPN to work, but still get all the PCs over there to work with the DHCP scope of 192.168.1.x? Not exactly sure how to approach this, but I know they MUST be on different subnets for the VPN connection to stay up and work correctly.

Any ideas on this matter before I tackle it?
February 5, 2009 5:57:47 AM

No, keep the DHCP scoping separate even though you CAN put everything together under one scope. Once again, I do not know AD.

Here is how you would set up assuming 192.168.1.x for main store and 192.168.2.x for 2nd store:

1) On VPN-GW-main, set up static route pointing to VPN-GW-2nd for any packets destined to 192.168.2.x
2) Do similar static route on VPN-GW-2nd
3) IF VPN-GW-main is NOT the default gateway for nodes in main store, you also need to set up a static route on that default gateway so that when it see 192.168.2.x packets, it will forward to VPN-GW-main. If something does not work here, make sure you check firewall rules and that icmp-redirects are NOT turn off for LAN side of the network
4) Do similar to the setup of 2nd store IF VPN-GW-2nd is NOT the default gateway
February 5, 2009 6:01:34 AM

I took one thing back I said in 1st line.

It is my knowledge that IPSec gateways ignore DHCP packets (unless you hack the code I guess). So I will say you must keep DHCP scope separated.
!