[VPN] Can't delete 0.0.0.0 entry from Windows XP routing table

[shailgov]

Hi,

I currently have a NATed home network on 192.168.0.x.
My default Gateway : 192.168.0.1
Windows XP machine (NIC): 192.168.0.2

The routing table on Win XP machine has the following entry:

Network Destination Netmask Gateway
Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1
192.168.0.2 1

Now when I connect to my VPN gateway (with a company proprietory
client) my VPN virtual adapter gets an IP address 199.151.101.15

And now the WinXP routing table looks like this:
Network Destination Netmask Gateway
Interface Metric
0.0.0.0 0.0.0.0 199.151.101.16
199.151.101.15 1

Any routes that I add hence forth, by default revert to the new VPN's
gateway address even after explicitly specifying my earlier default
address of 192.168.0.1

I tried to delete the 0.0.0.0 route and then add it again, but this
time with 192.168.0.1 gateway.

But I just can't delete the 0.0.0.0 route create on VPN connection.

Please help me resolve this situation.

Regards,
SG

 

[Phillip Windell]

The routing table on Win XP machine has the following entry:

Network Destination Netmask Gateway
Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1
192.168.0.2 1

Yes. It is supposed to.

Now when I connect to my VPN gateway (with a company proprietory
client) my VPN virtual adapter gets an IP address 199.151.101.15

And now the WinXP routing table looks like this:
Network Destination Netmask Gateway
Interface Metric
0.0.0.0 0.0.0.0 199.151.101.16
199.151.101.15 1

Yes. It is supposed to.

Any routes that I add hence forth, by default revert to the new VPN's
gateway address even after explicitly specifying my earlier default
address of 192.168.0.1

Yes. It is supposed to.

I tried to delete the 0.0.0.0 route and then add it again, but this
time with 192.168.0.1 gateway.

But I just can't delete the 0.0.0.0 route create on VPN connection.

You're not supposed to.

Please help me resolve this situation.

It is the way it is supposed to be. There is nothing to resolve. One thing
you can do is the disable "Use Gateway on Remote Network" within the
properties of the Dialup connection. But there are security reasons why
that is supposed to be enabled.

 

[Bill]

Phillip,

What are those security reasons please? I always thought it was a silly
default setting to use the remote gateway, because every time someone
connects then they can no longer access anything on the Internet. I use VPN
to access both a company network and also individual (friends') computers.

Thanks,

Bill

 

[Richard G. Harper]

Well, for one, if both are active you have just created an unprotected
bridge from the Internet to your internal network via a trusted (VPN)
connection. Fill in a list of potential bad things anyone could do with
that connection at your leisure.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[shailgov]

Hi Phillip,

I don't agree with your 'supposed to' statements. On a normal internet
connection I can delete the 0.0.0.0 route and reassign it, but once the
VPN client is connected it doesn't allow me to delete 0.0.0.0 route. I
am guessing it is something to do with the VPN client in not allowing
me to delete 0.0.0.0 as I could set up a split tunnel manually by doing
so.

I agree that split tunnelling is a risk on a direct internet
connection, but I am on a NAT with all inbound ports blocked. How could
split tunneling be of any danger in such a configuration.

Regards,
SG.

Well, for one, if both are active you have just created an unprotected
bridge from the Internet to your internal network via a trusted (VPN)
connection. Fill in a list of potential bad things anyone could do with
that connection at your leisure.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Phillip,

What are those security reasons please? I always thought it was a silly
default setting to use the remote gateway, because every time someone
connects then they can no longer access anything on the Internet. I use
VPN to access both a company network and also individual (friends')
computers.

Thanks,

Bill

 

[Phillip Windell]

I don't agree with your 'supposed to' statements. On a normal internet
connection I can delete the 0.0.0.0 route and reassign it, but once the

You experiences sort of prove I'm right, doesn't it?,...considering it
behaves exactly the way I said it would.

I agree that split tunnelling is a risk on a direct internet
connection, but I am on a NAT with all inbound ports blocked. How could
split tunneling be of any danger in such a configuration.

I didn't invent the rules,..I'm just telling you how it works. I also told
you how to adjust for it in my last paragraph of the first post.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Phillip Windell]

What are those security reasons please? I always thought it was a silly
default setting to use the remote gateway, because every time someone
connects then they can no longer access anything on the Internet. I use VPN
to access both a company network and also individual (friends') computers.

The level of the risk could probably be debated endlessly but the risk does
exist. If a user can use the Internet via their own personal LAN at the same
time they are VPN'ed into another LAN,...the LAN they VPN'ed into can become
a victem of whatever the user does on thier end. So it is designed to
protect the LAN they are VPN'ing into. The Split-Tunneling can easily be
turned on or off, so it isn't a big deal,...but the default is to have
Split-Tunneling off (use Remote Gateway is checked).

This has been this way all the way back to the old "Dialup" days with Modems
which operate the same way,...but people back then did not have LANs in
their house and their was no such thing as VPN so most people never even
knew this existed. VPN operates as a "dialup" technology and works by the
same rules,...there is really nothing "new" in any of this.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Bill Brehm]

Thanks you.

What are those security reasons please? I always thought it was a silly
default setting to use the remote gateway, because every time someone
connects then they can no longer access anything on the Internet. I use VPN
to access both a company network and also individual (friends')
computers.

The level of the risk could probably be debated endlessly but the risk
does
exist. If a user can use the Internet via their own personal LAN at the
same
time they are VPN'ed into another LAN,...the LAN they VPN'ed into can
become
a victem of whatever the user does on thier end. So it is designed to
protect the LAN they are VPN'ing into. The Split-Tunneling can easily be
turned on or off, so it isn't a big deal,...but the default is to have
Split-Tunneling off (use Remote Gateway is checked).

This has been this way all the way back to the old "Dialup" days with
Modems
which operate the same way,...but people back then did not have LANs in
their house and their was no such thing as VPN so most people never even
knew this existed. VPN operates as a "dialup" technology and works by the
same rules,...there is really nothing "new" in any of this.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Guest]

there should be an option to use your local network connection in the VPN
client for internet access, set that.