VPN and NAT routing packets through public adapter

[arrich]

I'm using windows 2003 with an L2TP VPN and NAT configured on a public
adapter. We have a private network attached to a private adapter on the
same machine. We've run into a problem were when someone VPN's in and
contacts a server on the public network some packets of the response
get routed back to the VPN clients directly from the public adapter and
not sent across the VPN.

I'm assuming that our server has to be the source of these packets but
their format is from the originating public server's IP to the client
IP (not client VPN IP).

Thanks,
Anthony

 

[Bill Grant]

There isn't really enough info here to even make a guess. What IP range
are you using for the remote clients? Do they get an IP in the same subnet
as LAN clients, or are they in their own subnet?

 

[arrich]

No. The LAN clients are getting private IP's like 192.168.0.1. There's
a public LAN network that server is connected to which is in turn
connected to the internet. The packets in question tend to be responses
from WINS servers in the public portion of the network, where the
packets originating our server are WINS server IP -> VPN client's
machine IP.

 

[Bill Grant]

It really depends on how the name resolution works. If the name of the
client machine resolves to a public IP, the packet will go directly through
the Internet (unless it is blocked by a firewall). It will only go through
the VPN link if the name resolves to its private IP. Even if it gets the
correct IP, traffic originating on the public LAN for the VPN client is
unlikely to use the VPN link unless you have extra routing set up to
"bounce" the private LAN traffic to the VPN server. By default it will go to
the gateway router and be lost (unless the gateway router has a route to
forward it to the VPN router).

VPN private IP traffic must go to the VPN router to be encrypted and
encapsulated before it reaches any router on the public network.