Multihomed Win2k Server Setup for Routing Between Two Networks
I have subscribed to a data service that I access data over a secure VPN connection
with their network. To test the setup I configured a Win2K server using
the IPSEC mmc-snap-in to create and assign a policy. That works well. I
am able to ping the IP address on the other side of the tunnel, validate
that a tunnel was established, etc. Great. Now I have a private 192.168.0.X
network that has Win2K and XP workstations that need to connect to the data
service resources via the VPN connection. Solution seems clear; install
2 NICs in the Win2K server and assign one to the private network and the
other to the static address and setup routing.
I now have a multi-homed Win2K Server with 2 network interfaces. One assigned
a static IP address from my ISP and the other is assigned an address on the
private network. The default gateway for the interface with the static address
is assigned and the other is unassigned. I have the security policy setup
so that a secure tunnel is established when I try to ping addresses on the
other side of the tunnel - from the Win2K Sever console. Now for routing
between the two networks. I've read some seemingly conflicting documentation
and posts on this topic. Some posts imply that you must make the registry
change to Tcpip/Parameters/EnableIPForwarding (or something like that) and
reboot. Then the Win2K server should route between the two networks. Others
imply that I need static routes in addition to or instead of simply enabling
IP Forwarding. Which is correct.
To test the routing setup on the server I configured a client on the private
network with a static route causing the ping of a specific address to be
routed to the multihomed Win2K server. I need the ping to be routed from
the private network interface to the public interface and across the tunnel.
This way the Win2K server acts as a true router (in fact we will be replacing
it after validating;- the vendor only supports Win2K clients). With appropriate
static routes configured on private network workstations, they can "share"
If I ping from the Win2K server console, a tunnel is setup and the ping succeeds.
If I ping from the workstation, using pathping I can see the ping being
forwarded to the server via the static route, but it times-out at this point.
I have tried enabling IP forwarding only, adding static routes, static routes
only and nothing seems to work.
It very well could be that the solution is to use static routes between the
interfaces on the server and that my static routes were incorrect.
The short question to a long story is "what steps do I need to take to enable
routing between the private and public networks?". I've tried everything
I thought would work based on study of documentation without success.
One last piece of information is that the public interface must be locked
down to only allow VPN traffic. I did this using Input and Output Filters
on the external interface. The filters only allow traffic with the VPN Server
for key exchange and the addresses in the private network on the other side
of the VPN. Appears to work. I experimented with the VPN server address
in the filter and could no longer establish a connection. Connection established
after filter changed back. I don't think that the fact that there is a security
association on the public interface should affect the ability to route between
the two, but I'm not sure.
Thanks in advance for input and advice on how to proceed.