0

I am stuck on this task almost for 2 days. Organized a site-to-site IPSEC tunnel between Juniper and Windows2008R2 machine (let's call it W2008R2 for reference). W2008R2 is a multihomed machine (2 network adapters), with RRAS installed and enabled.

W2008R2 NETWORK LOOKS THE FOLLOWING WAY:

First adapter of W2008R2 is connected to Internet, and has a public IP assigned (it is also the endpoint of tunnel). The other adapter is connected to LAN behind the server and has local IP 192.168.208.13. Inside this LAN there are other computers with local IPs, like 192.168.208.11. Everybody can ping each other here, firewalls are completely disabled on all local LAN adapters.

JUNIPER NETWORK LOOKS THE FOLLOWING WAY:

Juniper has public interface connected to internet and local interface 192.168.255.1 connected to Juniper LAN. Inside Juniper LAN there are other computers like 192.168.255.11 etc. Everybody can ping each other here, firewalls are completely disabled on all local LAN adapters.

Now what happens:

  1. Tunnel is up, so encryption and algs all work.

  2. I can ping 192.168.208.11 (computer in W2008R2-LAN) from 192.168.255.11 (computer in Juniper LAN) and vice versa !!! Here everything works.

  3. But for some reason I cannot ping 192.168.208.13 (the LAN adapter of the W2008R2 itself) and vice versa.

It looks like packets are routed inside W2008R LAN, but the LAN adapter itself is not reachable.

Would be very grateful if you can help solve it.

Here is the ipconfig /all output on w2008r2:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ****
   Primary Dns Suffix  . . . . . . . : ****
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ****
Ethernet adapter Internet:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
   Physical Address. . . . . . . . . : 00-50-56-A3-53-A2
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : A.A.A.A(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : G.G.G.G
   DNS Servers . . . . . . . . . . . : 192.168.208.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter LAN:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-A3-04-D5
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.208.13(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 192.168.208.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{1250BC57-EC45-4A26-9772-BD8596629156}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{B14E96CE-7B9C-480D-BD9E-7DD77CDA8E80}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:57f9:78a6::57f9:78a6(Preferred) 
   Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
   DNS Servers . . . . . . . . . . . : 192.168.208.11
   NetBIOS over Tcpip. . . . . . . . : Disabled

And here is the route PRINT output

===========================================================================
Interface List
 18...00 50 56 a3 53 a2 ......Intel(R) PRO/1000 MT Network Connection #2
 17...00 50 56 a3 04 d5 ......Intel(R) PRO/1000 MT Network Connection
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         G.G.G.G         A.A.A.A    266
          A.A.A.0    255.255.255.0         On-link         A.A.A.A    266
          A.A.A.A  255.255.255.255         On-link         A.A.A.A    266
        A.A.A.255  255.255.255.255         On-link         A.A.A.A    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.208.0    255.255.255.0         On-link    192.168.208.13    266
   192.168.208.13  255.255.255.255         On-link    192.168.208.13    266
  192.168.208.255  255.255.255.255         On-link    192.168.208.13    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.208.13    266
        224.0.0.0        240.0.0.0         On-link           A.A.A.A    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.208.13    266
  255.255.255.255  255.255.255.255         On-link           A.A.A.A    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0   G.G.G.G        Default 
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 16   1110 ::/0                     2002:c058:6301::c058:6301
  1    306 ::1/128                  On-link
 16   1010 2002::/16                On-link
 16    266 2002:57f9:78a6::57f9:78a6/128
                                    On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

I have replaced the real IP of W2008R2 with A.A.A.A and gateway with G.G.G.G All other info is real.

Ross
  • 135
  • 1
  • 10
  • can you attach `ipconfig /all` and `route print` from W2k8 (while tunnel is up of course) – Dusan Bajic Jun 11 '14 at 09:53
  • @dusan.bajic , I just updated my question (some problems went away, but some still exist). Also the output of ipconfig and route table are appended. – Ross Jun 11 '14 at 17:26

0 Answers0