When configuring a Microsoft VPN server for traffic routing between the server and client, especially in an Always On VPN setup, the routing can be approached in two main configurations: split tunneling and force tunneling. In a split tunnel configuration, specific routes are directed over the VPN while all other traffic uses the physical (local) network interface. This setup is ideal for allowing access to internal resources without routing all the client's internet traffic through the VPN, thus reducing bandwidth on the VPN server. Routes can be defined using the VPNv2 configuration service provider (CSP), allowing for detailed control over which traffic goes through the VPN. https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/vpn/vpn-routing Force tunneling, on the other hand, routes all client traffic through the VPN. This approach is often used for enhanced security, ensuring that all client traffic is inspected and filtered according to the organization's policies before accessing the internet. Force tunneling is achieved by manipulating routing entries to ensure that VPN routes have a lower metric than those for other interfaces, effectively directing all traffic through the VPN by default. https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/vpn/vpn-routing For troubleshooting, it's critical to ensure the VPN server has the necessary routes to internal resources and that clients are configured with routes to these internal networks. This setup ensures traffic can flow from the VPN clients to internal resources as intended. If access issues persist, verifying the correct configuration of both server and client routing, checking for any network policy server (NPS) policy misconfigurations, and ensuring proper certificate deployment are good steps. https://directaccess.richardhicks.com/2019/08/19/always-on-vpn-and-rras-with-single-nic/ https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-remote-access-vpn-and-aovpn-guidance Lastly, understanding the core components of your Always On VPN infrastructure and ensuring correct configurations on both server and client sides are crucial for a functional setup. For detailed troubleshooting steps and configurations, consulting the provided Microsoft documentation and resources can offer more in-depth guidance. https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-remote-access-vpn-and-aovpn-guidance
Microsoft VPN Server - How is VPN traffic routed between Server and Client?
We are trying to implement an Always On VPN Server solution with Microsoft VPN Servers. The VPN server is dual homed and we have a separate subnet for the VPN clients. (The IP addresses below are just examples)
VPN Server Internet Facing Nic: 172.168.10.7 (Gateway is configured on this Nic)
VPN Server Internal Network Nic: 172.169.10.70 (no Gateway is configured on this Nic, only persistent static routes)
VPN Subnet for Clients: 10.0.0.0/24
Static IP Pool configured on the VPN Server: 10.0.0.5-10.0.0.250
VPN Server RAS (Dial-In) Interface: 10.0.0.5
There is a static route configured on the VPN server, that routes traffic from the internal network facing nic to the VPN subnet for clients, route add 10.0.0.0 mask 255.255.255.0 172.169.10.1 -p
From the client we have manually created a VPN profile, and are able to connect to the VPN server just fine. The client receives the IP address 10.0.0.8, and since force tunneling is the default configuration, all traffic goes through 10.0.0.8
First hop is 10.0.0.5 (VPN Server's RAS (Dial-In) Interface)
The problem is that we are not able to access any internal resources from the VPN client. Using Wireshark on the VPN server, we are able to see that the VPN client's IP is trying to access internal resources through the VPN server.
From the VPN server itself, we are able to access all internal resources through the 172.169.10.70 interface. The network people say that network routing and FW openings are fine, and everything should function. But yet the communication from the VPN client to internal resources fails.
How is this communication supposed to occur, what could be misconfigured here?
2 answers
Sort by: Most helpful
-
-
Karlie Weng 18,521 Reputation points Microsoft Vendor
2024-02-22T01:57:05.1333333+00:00 Hello, Try to ping the internal server or device by IP address and check if you can get to file shares using IP\path. We can use traceroute to check the routing on the vpn client when connected – if it has a route to the internal servers/resources via the vpn.
---If the Answer is helpful, please click "Accept Answer" and upvote it.