T
Thomas Themel
Hi,
I managed to implement a L2TP-over-IPSEC solution that works nicely with
Windows Clients (2000/XP Pro). However, when the clients dial the VPN
connection in a "road warrior" setting, it seems that ALL traffic is
routed over the VPN connection instead of just the traffic that is
destined for the network the user connects to.
That's obviously not what I want since I pay for the traffic from the
road warrior to the Internet twice, plus it degrades performance.
What I'm trying to achieve is something on the order of
road warrior -> 192.168.0.0/16 over VPN
road warrior -> 172.16.0.0/16 over VPN
road warrior -> all others over normal Internet connection
Is there a way to configure this in a somewhat idiot-proof way? I know I
can try and write a script to figure out the necessary route add/route
delete stuff and teach users to manually run it after connecting, but
that doesn't seem like The Right Thing to me.
Using persistent routes is not possible either since the same users plug
their machines into the LAN directly and need to use the direct routes
there.
Any ideas?
ciao,
I managed to implement a L2TP-over-IPSEC solution that works nicely with
Windows Clients (2000/XP Pro). However, when the clients dial the VPN
connection in a "road warrior" setting, it seems that ALL traffic is
routed over the VPN connection instead of just the traffic that is
destined for the network the user connects to.
That's obviously not what I want since I pay for the traffic from the
road warrior to the Internet twice, plus it degrades performance.
What I'm trying to achieve is something on the order of
road warrior -> 192.168.0.0/16 over VPN
road warrior -> 172.16.0.0/16 over VPN
road warrior -> all others over normal Internet connection
Is there a way to configure this in a somewhat idiot-proof way? I know I
can try and write a script to figure out the necessary route add/route
delete stuff and teach users to manually run it after connecting, but
that doesn't seem like The Right Thing to me.
Using persistent routes is not possible either since the same users plug
their machines into the LAN directly and need to use the direct routes
there.
Any ideas?
ciao,