VPN Internet routing problem
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by on January 10, 2006, 4:23 am
Please log in for more thread options I have a Windows Server 2003 configured as a remote access VPN server. Everything works perfectly, however when I connect from a client machine to the VPN my internet connection get taken over by the server's internet connection, anotherwords, not only it is routing my LAN but also the internet connection the server is on. Is it possible not to have the internet routed, just the LAN ? But still be able to use client's internet connection ? Thanks | |||||||||||||||||||
|
Posted by Martin Bodenstedt on January 10, 2006, 4:32 am
Please log in for more thread options This by design. Once your VPN connection is open the VPN client should only allow traffic through the tunnel for security reasons (keyword here is "Split tunneling"). This also means that once Your PC has the VPN connection open the pc cannot see the lan anymore (to protect the corporate network from being infiltrated by rogue pcs... -- Martin Bodenstedt (www.die-bodenstedts.de / www.maboko.de) | |||||||||||||||||||
|
Posted by Simon on January 10, 2006, 8:18 am
Please log in for more thread options Martin Bodenstedt wrote:
> ioevanc@gmail.com schrieb:
> >> Hello
>> >> I have a Windows Server 2003 configured as a remote access VPN server. >> Everything works perfectly, however when I connect from a client >> machine to the VPN my internet connection get taken over by the >> server's internet connection, anotherwords, not only it is routing my >> LAN but also the internet connection the server is on. >
Martin is correct, however I'm sure you can still see the local subnet
> > This by design. > > Once your VPN connection is open the VPN client should only allow > traffic through the tunnel for security reasons (keyword here is "Split > tunneling"). > > This also means that once Your PC has the VPN connection open the pc > cannot see the lan anymore (to protect the corporate network from being > infiltrated by rogue pcs... > > Martin, it's only the default route that's affected. With the windows client you can get round it though if you consider the risks worthwhile, here's what I posted the other day in response to a similar question "Yes it's a security risk if the remote computer becomes compromised, as the internet connection going out locally could allow a back door into your network when the client vpn is connected. However with the ms client you can open up split routing to do what you need, in the tcpip properties of the remote PCs connection to you under advanced untick the 'use default gateway on remote network' then only traffic destined for the subnet that the client vpn address gets goes down the tunnel, all else goes out locally. If there is more than one subnet at your location the remote clients would need to use the route add command to add the additional routes needed. " simon | |||||||||||||||||||
|
Posted by on January 10, 2006, 12:16 pm
Please log in for more thread options Thanks for your help, I apreciate it
Simon wrote: > Martin Bodenstedt wrote:
> > ioevanc@gmail.com schrieb:
> > > >> Hello
> >> > >> I have a Windows Server 2003 configured as a remote access VPN server. > >> Everything works perfectly, however when I connect from a client > >> machine to the VPN my internet connection get taken over by the > >> server's internet connection, anotherwords, not only it is routing my > >> LAN but also the internet connection the server is on. > >
> > > > This by design. > > > > Once your VPN connection is open the VPN client should only allow > > traffic through the tunnel for security reasons (keyword here is "Split > > tunneling"). > > > > This also means that once Your PC has the VPN connection open the pc > > cannot see the lan anymore (to protect the corporate network from being > > infiltrated by rogue pcs... > > > > > Martin is correct, however I'm sure you can still see the local subnet
> Martin, it's only the default route that's affected. > > With the windows client you can get round it though if you consider the > risks worthwhile, here's what I posted the other day in response to a > similar question > "Yes it's a security risk if the remote computer becomes compromised, as > the internet connection going out locally could allow a back door into > your network when the client vpn is connected. However with the ms > client you can open up split routing to do what you need, in the tcpip > properties of the remote PCs connection to you under advanced untick the > 'use default gateway on remote network' then only traffic destined for > the subnet that the client vpn address gets goes down the tunnel, all > else goes out locally. If there is more than one subnet at your location > the remote clients would need to use the route add command to add the > additional routes needed. " > simon | |||||||||||||||||||
|
Posted by Martin Bodenstedt on January 11, 2006, 4:12 am
Please log in for more thread options Simon schrieb:
> Martin is correct, however I'm sure you can still see the local subnet
> Martin, it's only the default route that's affected. That should not be the case as all local pcs (those in the same subnet) could still use the tunnel which I as a corporate network admin would never tolerate. A good vpn client permits no traffic through the tunnel other than from (or to) the local machine itself. -- Martin Bodenstedt (www.die-bodenstedts.de / www.maboko.de) | |||||||||||||||||||
| Similar Threads | Posted |
| VPN Internet routing problem | January 10, 2006, 4:23 am |
| openvpn Routing Problem | October 31, 2006, 7:58 am |
| Routing problem causing problems with VPN? | May 5, 2005, 1:22 am |
| Routing problem over VPN from Vigor 2600+ to Netscreen 5GT | June 1, 2005, 10:31 pm |
| No Internet with VPN. | November 4, 2005, 4:08 am |
| VPN and Internet Access | April 1, 2006, 6:26 pm |
| VPN and Internet Access | April 1, 2006, 6:26 pm |
| Access Internet/Email while using VPN | January 3, 2006, 6:15 pm |
| VPN routing.... | December 12, 2006, 12:26 pm |
| VPN and Routing in one box | September 8, 2007, 8:44 pm |
| VPN routing | October 15, 2007, 5:18 pm |
| Noob Question VNP v's internet access | October 13, 2005, 10:02 am |
| BEFSX41 Dead Internet Port | March 5, 2006, 11:03 pm |
| Multi branch internet cafe | March 31, 2006, 3:18 pm |
| Need help routing IPX over IPsec | February 11, 2005, 2:35 am |
>
> I have a Windows Server 2003 configured as a remote access VPN server.
> Everything works perfectly, however when I connect from a client
> machine to the VPN my internet connection get taken over by the
> server's internet connection, anotherwords, not only it is routing my
> LAN but also the internet connection the server is on.