RRAS VPN server with off-subnet address range for clients

Sid 1 Reputation point


I want to implement an RRAS VPN server with off-subnet addresses assigned to the VPN clients.
My problem is that I can ping the VPN clients from the LAN, but I can't ping LAN resources from the VPN Clients.

Here is my setup and how I configured it:
VPN Client network:
RRAS server: Single NIC:

I configured the RRAS server with VPN and Router roles.
I have created a Static address pool on the RRAS server for the VPN clients -
I have disabled all ports, only IKEv2 is used by RAS/Routing; the rest is "Used by none".

On my LAN router ( I have added one static route: routed the destination network to the RRAS server IP
On my LAN router I've allowed the icmp communication between the two network in both directions.

At this point the communication initiated from my LAN to the VPN clients staerted to work, but not the other way.
I can't figure out what am I missing.

Thank you for your input!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,085 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
639 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
420 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sid 1 Reputation point

    I would like to add some extra information I gathered about the issue:

    • when I try to ping a LAN machine from a VPN client, on my firewall ( I got the following block message: ICMP reply without request. So the LAN machine tries to reply, but the firewall blocks it. I suspect for some reason the ICMP request comes from the RRAS server (not interacting with my firewall) and the reply goes to the VPN Client's address through my firewall.
    • I am able to query DNS request from a VPN client against my internal DNS server ( and got a response.
    • I am able to query an NTP resync from my local Windows NTP server ( and got a response.
    • I am able to ping my firewall LAN IP ( from a VPN Client and get a response. Still can't ping anything else on the LAN.

  2. Sunny Qi 10,896 Reputation points Microsoft Vendor


    Thanks for your update.

    I would suggest you could run command "route print" from VPN client when established a VPN connection to check if there is a route to

    If not, I would suggest you add a corresponded route from VPN server since the VPN client obtains route information from VPN server.


    Best Regards,


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.