VPN Internet routing problem

VPN Internet routing problem

NewsGroups | Search | Tools
 comp.dcom.vpn  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
VPN Internet routing problem ioevanc 01-10-2006
Posted by on January 10, 2006, 4:23 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello

I have a Windows Server 2003 configured as a remote access VPN server.
Everything works perfectly, however when I connect from a client
machine to the VPN my internet connection get taken over by the
server's internet connection, anotherwords, not only it is routing my
LAN but also the internet connection the server is on.

Is it possible not to have the internet routed, just the LAN ? But
still be able to use client's internet connection ?

Thanks


Pure Networks
Posted by Martin Bodenstedt on January 10, 2006, 4:32 am
If you were  Registered and logged in, you could reply and use other advanced thread options
ioevanc@gmail.com schrieb:
> Hello
>
> I have a Windows Server 2003 configured as a remote access VPN server.
> Everything works perfectly, however when I connect from a client
> machine to the VPN my internet connection get taken over by the
> server's internet connection, anotherwords, not only it is routing my
> LAN but also the internet connection the server is on.

This by design.

Once your VPN connection is open the VPN client should only allow
traffic through the tunnel for security reasons (keyword here is "Split
tunneling").

This also means that once Your PC has the VPN connection open the pc
cannot see the lan anymore (to protect the corporate network from being
infiltrated by rogue pcs...


--
Martin Bodenstedt

(www.die-bodenstedts.de / www.maboko.de)

Posted by Simon on January 10, 2006, 8:18 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Martin Bodenstedt wrote:
> ioevanc@gmail.com schrieb:
>
>> Hello
>>
>> I have a Windows Server 2003 configured as a remote access VPN server.
>> Everything works perfectly, however when I connect from a client
>> machine to the VPN my internet connection get taken over by the
>> server's internet connection, anotherwords, not only it is routing my
>> LAN but also the internet connection the server is on.
>
>
> This by design.
>
> Once your VPN connection is open the VPN client should only allow
> traffic through the tunnel for security reasons (keyword here is "Split
> tunneling").
>
> This also means that once Your PC has the VPN connection open the pc
> cannot see the lan anymore (to protect the corporate network from being
> infiltrated by rogue pcs...
>
>
Martin is correct, however I'm sure you can still see the local subnet
Martin, it's only the default route that's affected.

With the windows client you can get round it though if you consider the
risks worthwhile, here's what I posted the other day in response to a
similar question
"Yes it's a security risk if the remote computer becomes compromised, as
the internet connection going out locally could allow a back door into
your network when the client vpn is connected. However with the ms
client you can open up split routing to do what you need, in the tcpip
properties of the remote PCs connection to you under advanced untick the
'use default gateway on remote network' then only traffic destined for
the subnet that the client vpn address gets goes down the tunnel, all
else goes out locally. If there is more than one subnet at your location
the remote clients would need to use the route add command to add the
additional routes needed. "
simon

Posted by on January 10, 2006, 12:16 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks for your help, I apreciate it

Simon wrote:
> Martin Bodenstedt wrote:
> > ioevanc@gmail.com schrieb:
> >
> >> Hello
> >>
> >> I have a Windows Server 2003 configured as a remote access VPN server.
> >> Everything works perfectly, however when I connect from a client
> >> machine to the VPN my internet connection get taken over by the
> >> server's internet connection, anotherwords, not only it is routing my
> >> LAN but also the internet connection the server is on.
> >
> >
> > This by design.
> >
> > Once your VPN connection is open the VPN client should only allow
> > traffic through the tunnel for security reasons (keyword here is "Split
> > tunneling").
> >
> > This also means that once Your PC has the VPN connection open the pc
> > cannot see the lan anymore (to protect the corporate network from being
> > infiltrated by rogue pcs...
> >
> >
> Martin is correct, however I'm sure you can still see the local subnet
> Martin, it's only the default route that's affected.
>
> With the windows client you can get round it though if you consider the
> risks worthwhile, here's what I posted the other day in response to a
> similar question
> "Yes it's a security risk if the remote computer becomes compromised, as
> the internet connection going out locally could allow a back door into
> your network when the client vpn is connected. However with the ms
> client you can open up split routing to do what you need, in the tcpip
> properties of the remote PCs connection to you under advanced untick the
> 'use default gateway on remote network' then only traffic destined for
> the subnet that the client vpn address gets goes down the tunnel, all
> else goes out locally. If there is more than one subnet at your location
> the remote clients would need to use the route add command to add the
> additional routes needed. "
> simon


Posted by Martin Bodenstedt on January 11, 2006, 4:12 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Simon schrieb:

> Martin is correct, however I'm sure you can still see the local subnet
> Martin, it's only the default route that's affected.

That should not be the case as all local pcs (those in the same subnet)
could still use the tunnel which I as a corporate network admin would
never tolerate.

A good vpn client permits no traffic through the tunnel other than from
(or to) the local machine itself.



--
Martin Bodenstedt

(www.die-bodenstedts.de / www.maboko.de)

Similar ThreadsPosted
openvpn Routing Problem October 31, 2006, 7:58 am
Routing problem causing problems with VPN? May 4, 2005, 10:22 pm
Routing problem over VPN from Vigor 2600+ to Netscreen 5GT June 1, 2005, 7:31 pm
VPN routing.... December 12, 2006, 12:26 pm
VPN and Routing in one box September 8, 2007, 8:44 pm
VPN routing October 15, 2007, 5:18 pm
Need help routing IPX over IPsec February 10, 2005, 11:35 pm
VPN and routing between branches July 21, 2005, 11:00 am
E-mail routing over VPN January 17, 2006, 11:50 am
openvpn and routing February 6, 2006, 12:50 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map