VPN connection kills Internet Connection

Running Win2K Pro. I have a successful connection to my company's VPN from my home office (No home network, a standalone box connected to DSL).

When I make the connection through the VPN all other Internet traffic dies. I can't use a browser, e-mail prog, instant messenger, etc.

As soon as I disconnect the VPN connection all regular traffic is restored.

I've gone over settings with our IT department, who checked with our firewall manufacturer for any clues. All my Windows network settings seem to be correct. I have the VPN address set up as a trusted site with Zone Alarm.

Any thoughts from anyone would be appreciated.

Reply to
Bailey
Loading thread data ...

Bailey wrote in news: snipped-for-privacy@news2.newsguy.com:

If you are using the built-in VPN, go to the Networking tab, select TCP/IP, click on Properties, then Advanced. On the General tab, uncheck the "Use default gateway ..." box.

Reply to
Jerry Bacon

Hi Jerry;

I tried that. The problem there is that when it's unchecked I can login to the VPN, but the application I need to use can't find the

192.168.xxx.xxx server address on the company network to login, rendering the connection useless.

It's an either/or thing. I either:

1) Have Internet connection and no useful VPN connection to use the company application.

2) A working VPN Connection to successfully use the company application, but no use of other Internet applications.

Reply to
Bailey

Interesting. I was under the impression that connections remained separate. Which makes it even more confusing because other co-workers can use their other applications while connected through the VPN. I seem to be the exception to the rule.

Reply to
Bailey

Martin; That's the odd thing. I can't access the Internet through the company's firewall either. And as far as we can determine a proxy isn't necessary, though I will bring that issue up again today. Thanks for your ideas.

Reply to
Bailey

Bailey schrieb:

Which is at it should be:

One your VPN tunnel is up and running *all* traffic must go through your company's internet connection.

Reply to
Martin Bodenstedt

Bailey schrieb:

You should be able to use your applications as long as you don't need your own lan.

Internet should be accessible through your company's firewall (you might have to set a proxy though).

Reply to
Martin Bodenstedt

Bailey schrieb:

Can you ping anything on the other side?

Reply to
Martin Bodenstedt

Windows VPN like pptp or l2tp/ipsec do allow you to go the split route option (uncheck use default gateway on remote network under tcpip/advanced properties), so that local lan traffic still stays local, and only traffic for the subnet that the VPN server has given you an address on goes down the tunnel. It could be that the remote site has more than one subnet, so in this case by default the traffic won't get there. You can drop to a cmd prompt though and add in the additional subnets as routes via the tunnel ;) Bit of a pain as normally you will get a different IP address each time you connect there, but this can be automated/semi automated with a batch file. Simon

Reply to
Simon

Oh and if you tell us the subnets/addresses you need to get to and the subnet masks involved that would help, 192.x.x.x networks aren't routed on the net so it's not a security problem ;) Simon

Reply to
Simon

If the company firewall is not routing the data to the internet, then they may be able to change the configuration to allow this. On equipment I have used, if the default settings didn't do it, then I usually need to create a separate NAT rule to translate traffic on the VPN virtual interfaces as a separate rule.

If you are using the built in Windows PPTP/L2TP client. You could also build a package using the dialup network administration kit tool that is in Windows 2003 server to create a connectoid that includes the option to not use default gateway on remote network but also includes some static route entries for the VPN to allow you access into other subnets on the company network. That's a task for your network administrator though, but you could mention it.

Generally though, best practises dictate that while you are connected through the company network you should be using the company firewall to prevent attacks on your machine from giving the remote attacker access to your active VPN connections. At least if the attacker does the attack through the company firewall then it's a problem that would have happened if you were on the VPN or at work so nobody can blame the VPN for causing a problem that wouldn't have happened otherwise.

Reply to
Mike Drechsler - SPAM PROTECTE

You have multiple subnets at work, but the vpn is not giving you a route to them.

First, find out what your IP address is for the vpn. (ipconfig)

second, add a route to the 192 network. (route add 192.168.0.0 netmask

255.255.0.0 your_vpn_ip)

"route print" would be helpful to determine what the problem is.

Reply to
Joe Beasley

Simon schrieb:

Excuse me.

The *external* IP address changes which is irrelevant to the routing

*inside* the VPN (and even if you are assigned a different vpn internal IP - Address each time the tunnel is opened, that should not be a problem).

If You have to reach several IP subnets within your vpn why not set the default gateway of your VPN subnet to the vpn gateway at headquarters?

Btw, split tunneling is a security headache for several reasons:

Consider your remote PC connected to a local LAN with one or more pcs being virus infected. What would these pcs stop from misusing the vpn connected pc to send stuff out through your vpn (remember: viruses need not use the IP protocol but could use netbios rpc as well)?

Reply to
Martin Bodenstedt

Joe Beasley schrieb:

255.255.0.0 your_vpn_ip)

Your VPN internal IP address should not come from the same subnet as your external IP address and should use the vpn gateway as default geatway...

Reply to
Martin Bodenstedt

Why? If the company LAN is (for example) 192.168.1.0/24 then why should it not route to 192.168.1.0/24 via the VPN and leave the default route as the normal ISP/DSL connection?

Reply to
Graham Murray

For security reasons:

in your example you have an insecure link (outside the control of your company's network administrator, that is) from the internet through your pc to the company network.

You could - for example - have spyware on your PC that is logging your work for the company and sending it out via your own internet connection without your company ever getting wind of it...

Reply to
Martin Bodenstedt

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.