VPN problem between same internal IP address servers?

Magicthyse

Golden Member
Aug 15, 2001
1,095
0
0
Here's one that has all of us scratching our heads...

The scenario: VPN from a Windows 2000 Server client, to another Windows 2000 server.

Windows 2000 server #1 has internal ip address: 10.0.0.2
Windows 2000 server #2 has internal ip address: 10.0.0.2

Both servers have ISA Server running.

The client is running ISA Client, which gives Internet access to each client thru the ISA Server.

As soon as the VPN is initiated, you guessed it, the connection freezes (i.e. by VPNing to an another network which has the same IP address server, the client loses connection to the local ISA server).

Changing IP addresses on the servers is not an option.

Any insight into this issue before we scratch ourselves bald?
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0


<< not the answer you wanted to hear but.

change the IP address.
>>



Hahaha :p

Sorry, I was thinking the same thing as I read through it.
 

MWalkden

Golden Member
Dec 7, 1999
1,082
0
0
I don't know much about ISA server but I do a lot of VPN work between sites using 2K server (RAS) and other hardware VPN devices.

I'm sure your problem has to do with configuration so here is a link I found that might help:

ISA Inbound VPN Config

You should check log files to see what error it is giving you too. I could do more with that kind of information. Do either of these servers run RAS? Are you trying to do a site-to-site VPN or just a VPN from a client? Can you test the VPN with the client alone (like through a dialup connection)? Does it work that way?

I don't stay on the forums long, so if you want my help reply fast or email me (see my profile info).

.(MW)
http://www.isaserver.org/shinder/tutorials/configuring_ISA_for_inbound_VPN.htm
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
It sounds like you're gonna have to do a NAT somewhere along the path. Depending on the firewall in-use, you may be able to create a specific path/conduit just for the traffic coming from the other identical IP.

Worse case, you may be able to throw ina policy route through another firewall interface that NATs the address. Something similar can probably be done with a PC running *nix, but the trick is to determine which address is which based on the ingress interface, then acting on it (doing some flavor of NAT).

If both address are coming in across frame relay, get something like a Cisco 2600, set it up to be a frame switch, then switch (based on the DLCI not on the IP address) to an Ethernet interface with NAT to the VPN segment. You'll also (probably) have to policy route to get the right traffic to/through the right interface going back out to the source.

We've played with this some in the Lab for an internal project (when you have a bunch of customers, all with 10.xxx addresses, setting up a monitoring link can be a good time). I was only peripherally involved, but policy routing with NAT was the cleanest solution, if I remember correctly.


Good Luck

Scott