I have a Microsoft Windows 2000 PPTP VPN Client that I use to connect to a remote server. I have a RoadRunner Cable connection that is available all the time.
As the VPN is configured now, I have to make the Client connection manually after I start my computer.
How do I make the connection on my end happen automatically when I start my computer?
If you do that, you won't be able to use your connection for anything else unless you use split tunneling, which is considered a security risk. Normally when VPN is up, all other internet connectivity is down. That's by design.
Then the design is flawed because I am able to access the Internet and connect to the VPN at the same time. And I am not using any "split tunnelling". I am using MS PPTP VPN, the one that comes with Windows
2000.Where did you get this bizarre notion that "Normally when VPN is up, all other internet connectivity is down. That's by design."
The remote computer is already connected to the Internet, otherwise I could not connect to it.
Anyway, the MS PPTP VPN connection allows you to choose where your Internet access is - on your machine or on the remote machine. Obviously you would choose to have your Internet connection on your machine since you use the Internet connection on your machine to establish the VPN connection to the remote machine.
Bob schrieb:
Just think about it:
You use your VPN connection to access a remote network.
If you have - at the same time - an open internet connection you open that remote computer to the internet (not easily, agreed, but possibly).
True, it's good security to do this, however with the windows client it's easy to bypass this. Anyway nobody answered the original question, my suggestion would be to look at the rasdial command (cmd prompt) you can launch vpn connections from there so perphaps a batch file in the startup folder would do it. I'm sure there's a much more elegant way though :) Simon
He incorrectly implied that you loose internet connectivity in the default settings. What is actually happening is your computer will send all internet traffic over the VPN. If the remote VPN endpoint is configured to allow this traffic access to the internet through their connection then your internet will still appear to work though all your traffic will now appear to be coming through the remote sides connection. Many VPN endpoints are configured by default to deny all vpn sourced traffic access to the internet so that it appears that while you are on the VPN the internet will not work. If the administrator choose to allow VPN users access to the internet through that connection they would need to change the settings (likely the NAT mappings or a firewall rule) to explicitly allow VPN users access through the gateway to the internet.
The idea behind this is that on the remote side they already have a firewall configured to their policy on security. On your local side, your firewall is not controlled by them so you could allow all inbound access to your machine for example and if you have some trojan on your computer a hacker can control your machine and by doing so have access to the networks that your machine is connected to including the remote VPN network. There was a well publicised case of exactly this happening to a Microsoft employee allowing the hacker access to the internal Microsoft network through his home computer.
In the microsoft PPTP client you can turn off the setting that sends all your internet traffic to the vpn. In many clients for different vpn routers there is a setting that the administrator can use to prevent users from disabling this split tunnelling feature in their own clients for the reason I just stated.
MS PPTP VPN has an option whether you want your Internet connection to be on your machine or on the remote machine. Of course you choose to keep the Internet connection on your machine. There is no reason to use the remote to access the Internet when access is provided by your machine.
Microsoft is hiring security experts.
You sound like a perfect candidate.
Bob schrieb:
You are missing the point:
The remote computer certainly is connected to the internet using *its own* security access policy.
Off course you open the vpn connection through the internet. But once the vpn connection is open you should not be able to bypass the vpn connection. You should *only* be able to access the remote machine (and maybe the internet through that remote machine depending on that machine's security policy). Otherwise you open the remot to the internet using *your* internet connection and notthe *remote* computer's...
Windows 2K Help has the following statement:
"You can also automate the connection process for any Microsoft client by using a simple batch file and the rasdial command or by using a custom, Windows NT and Windows 2000 application that recognizes remote access."
Since I do not have any "custom, Windows NT and Windows 2000 application that recognizes remote access.", I am stuck with a "a simple batch file and the rasdial command".
So I suppose I would use
rasdial "connection name" username password
Hot Damn! It actually works. This calls for celebration. Imagine that
- a Microsoft command that works the very first time. Unbelievable, incredible, astronomical, a miracle.
Thanks for the answer to my query. Now I have another question.
Does the MS PPTP VPN Client connection time out? I notice that after a while the connection drops for some reason. I want to keep it on all the time so my son can get into my machine when he wants.
Not if I configure the VPN not to do that.
There is a checkbox in the setup that asks if you want the Internet connection to come from the remote (as it would if it were an ISP) or from your machine. I told it my machine, so my machine gets its Internet connectivity from my Internet connection, not the remote one.
I would be privileged to work for Microsoft. Please send me an application.
Who do you work for? The federal govt.
Bob schrieb:
You're still not getting the point:
By doing it the way you suggest you're compromising the remote machine by opening the remote machine to the internet via _your_ machine bypassing any internet access guidelines imposed on the remote machine by its admin.
If I were the admin of the remote machine (or network), I'd kick you out the minute I become aware of you doing split tunneling...
Exactly.
And that's why we're restricting VPN access to our network to VPN software solutions that lock down the configuration on the client side to prevent split tunneling while the VPN link is open. All our VPN clients have full internet access through our corporate internet firewall (implementing virus scanning, spam discovery, trojan blocking, spy ware blocking and the like)
Please don't forget that doing it your way not only opens your PC to the internet but also the remote one.
What do you mean by "opens your PC to the internet"? My PC is always open to the Internet when I am connected to the Internet.
That's why I have a NAT router, Kerio Personal Firewall, Computer Associates Anti Virus.
The only whole thru the firewall I know about is port 1723 and that is socketed to the VPN, which listens for encrypted data.
If you had my WAN IP, how would you break into my PC even if I were connected to a VPN?
This connection is between my son's computer and my computer. Before he bought his own house he and I shared files on our LAN. But now that he is in a different location we had to set up the VPN to share files. I see no reason for him to kick me off his machine. He has the same NAT router, the same firewall and the same antivirus s/w that I have so we are identically configured.
What "split tunneling"? He told his machine to use his Internet connection and not use mine. I told my machine to use my Internet connection and not use his. Why would the VPN s/w ignore those instructions and set up any "split tunnel" in the first place.
Bob schrieb:
OK.
You don't _want_ to see my (and not only my) point.
Bye then (and good luck)...
:-(
Like talking to a sack of hammers isn't it?
Actually I do or I would not keep replying.
But I can't see your point because it is hidden behind jargon I do not understand.
I have an Internet connection at my house. My son has an Internet connection at his house. I connect to his network over the Internet using the MS PPTP VPN supplied with Win2K/XP. I use my Internet connection for my Internet access and he uses his. There is no "split tunnel" that I am aware of. Actually I do not understand that term, so I can't say for certain that I do not have any.
How does this expose him or me any more than we are exposed by being connected to the Internet? What does the VPN do that causes this special kind of exposure? The only port that is open thru both NAT routers (his and mine) is port 1723 and it is socketed to the VPN software which expects encrypted traffic. With the MS PPTP VPN, there can only be one connection at a time.
How is someone going to hack into my system when I am connected to his network?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.