VPN and static routes re-visited

  • Thread starter Thread starter Patrick
  • Start date Start date
P

Patrick

I've read through a lot of threads that deal with this, but still don't see
a clear solution for MY particular situation, so here goes:

We have remote VPN users who work all day from home. They all have
high-speed Internet at home and connect to our RRAS servers using PPTP VPN
connections. They need to access resources on other subnets. If they check
"Use default gateway on remote network", this works fine. BUT, they can no
longer access the Internet. This is a problem.

I have setup static routes in DHCP using the static route option, and that
works great for internal LAN users, but the routes don't get added to the
VPN client's routing tables. Is this by design?

I've also tried adding persistent routes to the clients which again works
fine from inside the LAN, but not for remote VPN clients.
 
you may want to create a batch file to create a routing table accordingly.
quoted from http://www.ChicagoTech.net
Can't access the Internet while using VPN

Symptom: after establishing a VPN connection, you may not be able to access
the Internet because the VPN takes over your existing connection and all
traffic to use the VPN default gateway on the remote network. The remote
network may not allow VPN clients to access the Internet via their gateway.

Resolutions:
1) If you don't need to access the entire VPN resources, disable the "use
default gateway on remote network" option in the properties of the VPN
connection. To do that, go to VPN
Connection->Properties->Network->TCP/IP->Properties->Advanced-, uncheck
"Use default gateway on Remote Network".
2) Edit route table manually if you know how to or check routing page on
this web site.
3) For the security reason, some firewall/routers like Cisco PIX do not
allow access the Internet after establishing the VPN and you cannot modify
the routing table. You may setup split-tunnel.


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
 
If you have a lot of remote users in this situation, consider using CMAK
(connection manager admin kit). You can then configure the client settings
for remote users at the server, and have them downloaded to the client.
 
It sounds to me like there is no good solution to this problem. I have the
same issue, and to allow VPN clients to acces resources on a subnet that is
different than the RRAS server, I have to manually add a static route to the
clients routing table, or check the "Use default gateway on remote network"
checkbox, and allow themm to get their Internet traffic through the RRAS
server through the company's ISP.

--Mike
 
Mike
I agree, a good solution is certainly elusive. I've added persistent routes
to the clients, but when they're connected using the VPN, they don't work.
Maybe the remote clients will just have to avoid using the Internet while
VPN'd in...(they'll love that...)

Pat
 
Back
Top