seeing outside corporate network when on VPN

When I work at home, I connect to the company intranet through the company VPN from either my condo or my mothers house. In both cases I use a netgear WGR614 wireless router. The VPN is located physically at the company.

Once I am on the company intranet through the VPN, I can access the company development websites, but I can't see the regular internet at all. I would like to be able to see the regular internet as well as the company intranet. What do I need to figure out ?

Here is what ip[config shows when I am not on the VPN:

C:\\ugc\\widget-bak\\widgets>ipconfig

Windows IP Configuration

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.2.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1

C:\\ugc\\widget-bak\\widgets>

Here is what ipconfig shows when I am on the VPN, I edited the ip address here for confidentiality of course:

=============================

C:\\ugc\\widget-bak\\widgets>ipconfig

Windows IP Configuration

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.2.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1

PPP adapter Connect to my-company Corporate LAN - Go to webvpn.my- company.com in stead of dialing directly:

Connection-specific DNS Suffix . : office.mycompany.com IP Address. . . . . . . . . . . . : 10.6x.0.8x Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . :

C:\\ugc\\widget-bak\\widgets>

Reply to
wbsurfver
Loading thread data ...

When you are at work, can you get to the internet?

This is likely a feature of your company's VPN configuration. With Nortel, it is called "Mandatory Tunnel Mode", where it is mandatory that all traffic pass through the VPN tunnel. This is usually a good thing, unless you have devices on your local network that you want to reach.

The alternative would be split tunneling, where you would be able to see devices through the VPN, and also your original network.

You have no control over it, but the VPN admins probably do.

There's also another set, where you can get to the company VPN, maybe the internet through them, and also are allowed access to your home network, if it is of the prescribed address setting. I forget what that's called. Soft Tunneling?

Reply to
dold

you will not be able to surf the web as you company has blocked access to it for security reasons. Most major companies do this. It may be a breach of security to attempt a bypass and could result in being dismissed.

Reply to
BigJim

" snipped-for-privacy@yahoo.com" hath wroth:

That's the usual way a VPN is setup. When you're connected to the corporate LAN (through the VPN), then you do not have access to the internet. You can tweak it by changing the setting for the default gateway. There are two choices. Use gateway on remote system and use local gateway. The local gateway will give you internet access. It will also probably violate the companies rules and open your system to a grab bag of exploits and security issues. The worst would be to bridge (or tunnel) between the internet and the corporate LAN, essentially exposing the company network to the internet direction, without the benifits of a firewall.

If you must surf the internet, disconnect from the corporate VPN, and your default gateway will be restored to the local router, which will give you internet access.

Reply to
Jeff Liebermann

I disagree. Your route to the internet is through the corporate LAN not usually cut off. Most companies allow access to the internet.

I disagree. If the corporate VPN is tunneled, you have no access to your local LAN at all, including your own gateway.

Even with a split tunnel on a Nortel VPN, I can't change the routing once the VPN is started. Some things I can set permanent routes for before I connect the VPN, some are taken by the corporate VPN.

Reply to
dold

snipped-for-privacy@06.usenet.us.com hath wroth:

Huh? I can't tell if you're suggesting that the route to the internet must be through the corporate LAN, or if you're suggesting that it might be. Either way will work because the only machines that should be accessible through the VPN are those on the corporate LAN. Surfing the web through the corporate LAN is not my idea of efficient use of bandwidth.

PPTP VPN TCP/IP setup has the option of "use default gateway on remote network" as in:

which explains how to get simultaneous internet and VPN access (split tunnel), something I consider to a be a generally bad idea. All other VPN clients have a similar option.

Well yeah. Nortel and SecureNet based VPN clients have manditory settings that over-ride any tinkering you attempt. However, know that I can setup a VPN using the SecureNet client, NOT enable manditory settings, and tinker away merrily.

Reply to
Jeff Liebermann

Jeff Liebermann hath wroth:

Incidentally, note that the OP's VPN IP setup has no default gateway:

Ethernet adapter Wireless Network Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.2.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1

Connection-specific DNS Suffix . : office.mycompany.com IP Address. . . . . . . . . . . . : 10.6x.0.8x Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . :

which implies that it was never intended to be used for general internet access and that all access was to be with systems in the

10.xxx.xxx.xxx private IP block (presumeably on the corporate LAN).
Reply to
Jeff Liebermann

Corporate security teams dont care about efficiency - just "do it my way or else" :)

The VPN server can be set up up to force the "no split tunnel" option on some products.

"no split tunnel" seems to override the routing table on a cisco VPN client so all the user traffic goes thru the tunnel.

there was a rash of VPN products that would "policy check" the client a few years back.

The idea was the PC would have to have the right config running, virus checker up to date etc, or it is not allowed onto the corp network until that is fixed - it gets parked in a crippled DMZ where upgrades can be done instead.

Reply to
stephen

Efficiency isn't the point, access is. By tunneling into the corporate LAN, corporate filters and firewalls can be applied to all traffic, making the internet a little safer place to visit.

Sonic.net has VPN to their server for all of their subscribing WiFi clients. I think that is offered as a security against WiFi snooping.

If allowed by the VPN server that you are using. Even though my client allows split tunneling, I couldn't use a split tunnel use a split tunnel until I was added to the configured list of users with that permission.

I think not. You have to be able to configure the server as well.

Reply to
dold

I worked with a client whose VPN was _only_ for Lotus Notes. There was no access to any other machine on their intranet.

Whatever... You don't get to chose what happens on the other side of the VPN end point, and you might not get to chose what happens in your own client.

Reply to
dold

You have a client that allows you to ignore server settings that are mandatory?

That seems like rather buggy behavior. What does "mandatory" mean?

Reply to
dold

Well, let's see if that's true. I'll dig out the secure laptop later tonite and try it with the SecureNet client.

Connecting to my home network from the XP SP2 PPTP client, to ny home DD-WRT PPTP server, I get:

Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.111.9 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.111.33

PPP adapter home.learnbydestroying.com: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.15.2 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 192.168.15.2

My office LAN is on 192.168.111.xxx with the router at 192.168.111.33. (Yeah, I know. I picked some goofy IP's long ago and have never bothered to fix them). Note that that default gateway is the remote router.

I'm still surfing the internet, but judging by the flashing lights, the traffic is all going through the remote gateway. Checking with traceroute:

C:\>tracert

formatting link
Tracing route to
formatting link
[72.14.253.104] over a maximum of 30 hops: | 1 44 ms 48 ms 42 ms 192.168.15.1 | 2 46 ms 45 ms 39 ms dsl-63-249-85-gateway.cruzio.com [63.249.85.1] | 3 117 ms 104 ms 105 ms 114.at-5-0-0.gw3.200p-sf.sonic.net [74.220.64.17] | (blah-blah-blah...) | 12 69 ms 71 ms 67 ms po-in-f104.google.com [72.14.253.104]

Yep. Cruzio is my ISP at home.

Now, I disconnect and uncheck the box labelled "use default gateway on remote server". Now, the IP layout changes to:

Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.111.9 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.111.33

PPP adapter home.learnbydestroying.com: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.15.2 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . :

Note that the default gateway on the remote system is blank, which means that the default gateway is the local system. Trying traceroute again:

C:\>tracert

formatting link

Tracing route to

formatting link
[72.14.253.103] over a maximum of 30 hops:

| 1 1 ms

Reply to
Jeff Liebermann

I changed my mind. If your client is allowed to "ignore" settings that are said to be "mandatory", that is the broken part. But could a client like that connect to my VPN server?

Now that I have a split tunnel, my gateway is blank, leaving it up to my local routing to decide where to route packets. I see that there are a lot of entries in my route /print. I can't do anything to my routing, or the VPN aborts with a complaint that routing can't be adjusted while the VPN is active. If I set a persistent route before I start the VPN, I can save some local access, like my cable modem at 192.168.100.1, but that didn't work when I had mandatory tunneling.

When I had mandatory tunneling, my VPN gateway was my address on the VPN.

Like the model numbers and revision levels for hardware, it might be helpful to know what products he is trying to use. In any properly set up enterprise solution, I wouldn't expect the end user to be able to tamper with things that the enterprise wanted to keep set.

If I connected to a hotspot somewhere, I always connected the tunneled VPN as soon as possible.

Reply to
dold

Well, there's nothing broken about being able to change the settings. The SecureNet clients that I'm familiar with allow this within the client configuration. Lots of options and config variations to get lost in. I find myself doing all too much trial and error before I get it right. However, once it's set and saves, I can mark the saved file as "non-editable" which means no more tweaking allowed.

The big question is what does the IT department distribute. Presumeably, it's the non-tweakable configuration the enforces the IT departments edicts and does not allow routing changes. However, if they're clueless, they could just as easily have distributed a saved version that allows changes.

Probably. Many IPSec clients are made to be fairly universal and will connect to just about anything. However, some are really simplistic and offer a limited number of compatible VPN servers.

Oops. I guess I'm half wrong. Leaving the default gateway blank allows local routing, but if the VPN stack checks for and prevents changes, then it's not going to happen. That kinda makes sense because the IT department does not know the IP address of your local router and therefore would not normally configure it into their VPN configuration.

Yeah. That sends literally everything through the VPN. That drives me nuts when I have a local network printer, that magically becomes inaccessible when the VPN is running. Depending on the VPN client, I can sometimes setup a static route to the printer. More often, I'm stuck with setting up a USB or parallel connection so the customer can print.

Hey... that's my line. Copyright pending on my accompanying insults and insulting remarks.

Neither would I, but how does one accomidate creative home network installations, such as my network printing problem? The easiest solution is to use a hardware product with a dedicated VPN port. I'm seeing more and more SSL VPN's, which are MUCH easier to setup and configure, and don't have routing issues.

I have a VPN tunnel setup to my home and office networks. Nothing fancy, just PPTP. However, I just use those for email and document transfers. For moving files, I use WinSCP:

through an SSH tunnel. Works with most (not all) of the ISP's I deal with. However, for general web browsing, I rely on SSL for commerce security and don't care for the other stuff. VPN and SSL tunnels are just too slow for general browsing. Besides, I don't need security for downloading driver updates and such.

Incidentally, consider yourself at fault for ruining my evening. I decided it was time to renumber the IP's in the office. That involved changing the IP's of the router and my main server. Trying to remember how to set the default route in SCO Unix 3.2v4.2 was no fun. Then the printers crapped out and I had to reset their default route. Now, SNMP is complaining, my syslog junk is going to the wrong server, inside DNS is a mess, and I'm getting hungry. Before I can fix any of the damage, I need a suitable culprit and you're it. Please note that being blamed is actually an honor and that it is not necessary to thank me.

Reply to
Jeff Liebermann

No, ignoring "mandatory" settings is broken, unless I misunderstand the meaning of mandatory.

There is another VPN tunnel buzzword that I forget, that allows you to access a defined LAN. It would be simple enough to tell everyone that their home LAN needs to be 192.168.48.0 if they want access to their local printer. A static persistent route to my network printer didn't work when I had mandatory tunneling.

That's why I used it ;-)

Lots of low end printers have WiFi built in now. The $399 1TB file server thing at Best Buy only has network connections, no USB. My 10 year old HP4000N has ethernet.

Yeah, but... It was there, I liked it.

The cable modem is my slow link. I can hit wire speed with or without VPN to the same site.

oh, never do that... I did that accidentally, by resetting my router to defaults (hey, that was your advice!), losing my MAC-IP reservations, and then I couldn't figure out (months later) why my file sharing didn't work... firewall setup.

Reply to
dold

Yeah, one would assume that mandatory means that you can't play with the settings. However, there's some question as to how much of the configuration is enforced in that manner. For example, if the IT department was worried about the other family machines on the LAN getting into the corporate LAN via the VPN, the configuration might intentionally disconnect all local LAN connections (like the network printer). On the other foot, if they wanted to accomodate weird and all to common home networks, they could leave the local LAN devices accessible (and by implication, user reconfigurable). Lots of options and possibilities.

Static route?

I have 2 network printers at home. 3 more in the office. I just got a Samsung CLP-550N color laser printer, so I guess that's now 4 in the office. Never mind all the NAS (network attached storage) boxes at both locations. I don't think IT wants to deal with my home nightmare.

Much more disgusting is when the corporate LAN at the end of the VPN and the local LAN both have the same class C IP block. For example, if both are on 192.168.1.xxx. It won't take much to create a duplicate IP address even if the tunnel is assigned a different IP block. That's why I use 192.168.111.xxx for my office LAN and use other numbers for my customers.

Yep. Same here depending on where I point the gateway.

For a moment, I thought you were emulating my style, agreeing with my methodology, and adopting all my bad habits. Please don't scare me like that again.

Yep. And as soon as you connect to your corporate VPN, they all disappear from your LAN.

Some things are just too slow to run over a VPN, as compared to using a remote desktop (PC Anywhere, VNC, MS remote desktop, etc) solution. For example, running a program that insists on constantly loading and unloading a bunch of small modules to do things is really slothish on a VPN, but perfectly usable with remote desktop software.

Nicely done. I'm still recovering from the damage done when changing IP's, but it's not too horrible. I still have some boxes to tweak. As for resetting the router, I accept the responsibility but not the blame. Any decent router should have a way to save the settings. I never reset anything without first saving the settings. However, I was playing with the flashing lights and the GPIO command last night. One of the GPIO commands initiated a grand reset to defaults of the router. This was not exactly planned and required that I restore from my backups. Fortunately, I've been doing firmware upgrades, so there were plenty of previous backups. I also have printed copies, but those would take some effort to excavate. Incidentally, I carry the saved settings with me on a USB dongle because I use them as templates for creating newer setups.

Reply to
Jeff Liebermann

No. This is an allowance to get to specified network ranges when even a static route wouldn't work. Mandatory tunneling with an exception. I thought I saw a buzzword applied, but now all I can find is my own coining of the phrase "soft tunneling" ;-(

Cisco docs define networks to be tunneled verses clear. Your 192.168.111 could be defined as clear.

"The default is to tunnel all traffic. To set a split tunneling policy, enter the split-tunnel-policy command in group-policy configuration mode.

The excludespecified keyword defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN client.

The tunnelall keyword specifies that no traffic goes in the clear or to any other destination than the security appliance. This, in effect, disables split tunneling. Remote users reach Internet networks through the corporate network and do not have access to local networks. This is the default option.

The tunnelspecified keyword tunnels all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear and is routed by the remote user's Internet service provider. "

That led to a statement of fact by our IT group that Linksys routers wouldn't work with VPN, only SMC. The truth was that our small corporate LAN used the default subnet, and that was the same as the default on Linksys. SMC had a different default subnet, so your home network wouldn't conflict with the VPN.

I would ask why a static route would be affected by where you pointed the gateway, but I'm bored with mandatory verses split.

That's not VPN verses unencrypted, that's thin client verses dragging the data across a WAN to your server.

Reply to
dold

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.