CMAK VPNs not working as expected.

  • Thread starter Thread starter Adrian Marsh (NNTP)
  • Start date Start date
A

Adrian Marsh (NNTP)

Hi,
I've a corporate network with various 192.168.x.x subnets, and a
172.16.0.0/16 subnet too.

I VPN into a 2003 server whos corporate local address is 192.168.50.3
(default GW is 192.168.50.1)

Internally on the LAN, all is well.

Before I started trying CMAK, I could only reach 172.16.x.x and the
non-50 subnets if I manually added the route to the PC. I want to use
split-tunneling.

So CMAK seems a good idea. I've tried adding the following routing info
into the associated route file:


add 172.16.0.0 mask 255.255.0.0 default METRIC default IF default
add 192.168.24.0 mask 255.255.255.0 default METRIC default IF default

But when I VPN in, I still can't reach the 172.16.0.0/16 or
192.168.24.0/24 subnets. Heres the resulting routing table on the
client: (I've marked the lines of interest with a *, and had to mask the
public IP of the VPN endpoint)


Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.253 192.168.0.10 25
5.0.0.0 255.0.0.0 5.13.204.221 5.13.204.221 20
5.13.204.221 255.255.255.255 127.0.0.1 127.0.0.1 20
5.255.255.255 255.255.255.255 5.13.204.221 5.13.204.221 20
<masked PPTP> 255.255.255.255 192.168.0.253 192.168.0.10 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
* 172.16.0.0 255.255.0.0 192.168.0.253 192.168.0.10 25
192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 25
192.168.0.10 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.10 192.168.0.10 25
* 192.168.24.0 255.255.255.0 192.168.0.253 192.168.0.10 25
* 192.168.50.0 255.255.255.0 192.168.50.182 192.168.50.182 1
* 192.168.50.182 255.255.255.255 127.0.0.1 127.0.0.1 50
* 192.168.50.255 255.255.255.255 192.168.50.182 192.168.50.182 50
224.0.0.0 240.0.0.0 5.13.204.221 5.13.204.221 20
224.0.0.0 240.0.0.0 192.168.0.10 192.168.0.10 25
224.0.0.0 240.0.0.0 192.168.50.182 192.168.50.182 50
255.255.255.255 255.255.255.255 5.13.204.221 5.13.204.221 1
255.255.255.255 255.255.255.255 192.168.0.10 192.168.0.10 1
255.255.255.255 255.255.255.255 192.168.50.182 4 1
255.255.255.255 255.255.255.255 192.168.50.182 2 1
255.255.255.255 255.255.255.255 192.168.50.182 5 1
255.255.255.255 255.255.255.255 192.168.50.182 192.168.50.182 1
255.255.255.255 255.255.255.255 192.168.50.182 6 1
Default Gateway: 192.168.0.253
===========================================================================
Persistent Routes:
None


The 5.x can be ignored (hamachi). The client local subnet is
192.168.0.10/24.

I'm confused as to why the 192.168.50.0 network is sent to
192.168.50.182 via the tunnel but 172.16.0.0 is sent to the Clients
local GW (192.168.0.253), shouldn't they be the same?

How do I have the VPN client do the same for 172.16.0.0/16 and
192.168.24.0/24 as it does for 192.168.50.0/24
 
Just noticed as well, that the VPN client is leaving those routes behind
when the VPN is closed down, which it shouldn't...
 
If I understand the routing correctly, the route command should be "add 172.16.0.0 mask 255.255.0.0 192.168.50.182"

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hi,
I've a corporate network with various 192.168.x.x subnets, and a
172.16.0.0/16 subnet too.

I VPN into a 2003 server whos corporate local address is 192.168.50.3
(default GW is 192.168.50.1)

Internally on the LAN, all is well.

Before I started trying CMAK, I could only reach 172.16.x.x and the
non-50 subnets if I manually added the route to the PC. I want to use
split-tunneling.

So CMAK seems a good idea. I've tried adding the following routing info
into the associated route file:


add 172.16.0.0 mask 255.255.0.0 default METRIC default IF default
add 192.168.24.0 mask 255.255.255.0 default METRIC default IF default

But when I VPN in, I still can't reach the 172.16.0.0/16 or
192.168.24.0/24 subnets. Heres the resulting routing table on the
client: (I've marked the lines of interest with a *, and had to mask the
public IP of the VPN endpoint)


Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.253 192.168.0.10 25
5.0.0.0 255.0.0.0 5.13.204.221 5.13.204.221 20
5.13.204.221 255.255.255.255 127.0.0.1 127.0.0.1 20
5.255.255.255 255.255.255.255 5.13.204.221 5.13.204.221 20
<masked PPTP> 255.255.255.255 192.168.0.253 192.168.0.10 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
* 172.16.0.0 255.255.0.0 192.168.0.253 192.168.0.10 25
192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 25
192.168.0.10 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.10 192.168.0.10 25
* 192.168.24.0 255.255.255.0 192.168.0.253 192.168.0.10 25
* 192.168.50.0 255.255.255.0 192.168.50.182 192.168.50.182 1
* 192.168.50.182 255.255.255.255 127.0.0.1 127.0.0.1 50
* 192.168.50.255 255.255.255.255 192.168.50.182 192.168.50.182 50
224.0.0.0 240.0.0.0 5.13.204.221 5.13.204.221 20
224.0.0.0 240.0.0.0 192.168.0.10 192.168.0.10 25
224.0.0.0 240.0.0.0 192.168.50.182 192.168.50.182 50
255.255.255.255 255.255.255.255 5.13.204.221 5.13.204.221 1
255.255.255.255 255.255.255.255 192.168.0.10 192.168.0.10 1
255.255.255.255 255.255.255.255 192.168.50.182 4 1
255.255.255.255 255.255.255.255 192.168.50.182 2 1
255.255.255.255 255.255.255.255 192.168.50.182 5 1
255.255.255.255 255.255.255.255 192.168.50.182 192.168.50.182 1
255.255.255.255 255.255.255.255 192.168.50.182 6 1
Default Gateway: 192.168.0.253
===========================================================================
Persistent Routes:
None


The 5.x can be ignored (hamachi). The client local subnet is
192.168.0.10/24.

I'm confused as to why the 192.168.50.0 network is sent to
192.168.50.182 via the tunnel but 172.16.0.0 is sent to the Clients
local GW (192.168.0.253), shouldn't they be the same?

How do I have the VPN client do the same for 172.16.0.0/16 and
192.168.24.0/24 as it does for 192.168.50.0/24
 
Hi Robert,

If I were manually adding the route (after dial/vpn up), then that would
be correct. But these entries are in the config file that the VPN
client downloads from our www site. The client then uses those to add
the routes. The problem is its using the wrong routes.

A.
 
Back
Top