Split tunneling with cmak

  • Thread starter Thread starter Martin Rhodin
  • Start date Start date
M

Martin Rhodin

Hi

I have made a cmak vpn connection, wich have added some routes and removed
the default gateway so both intranet and the user's own internet gateway is
available. Now this works on Windows XP but it doesnt in Vista, and i think
its some security issue. I have turned of UAC and have no third party
firewall. The intranet is available but the internet is not. Googled for a
solution but it doenst seem like there is one and its a know issue for many
people.Please advice if you have any thoughts on this.

Thank you.

Martin Rhodin
 
Hi,

I have got a workaround for this issue. While installing the dialer make
sure that it is installed using "My use only" option which is default. Next,
I haven't tried this with UAC disabled, it works for sure when UAC is
enabled. Try it let me know the status.

Thanks

Ashish Pingle

"Martin Rhodin" wrote:

> Hi
>
> I have made a cmak vpn connection, wich have added some routes and removed
> the default gateway so both intranet and the user's own internet gateway is
> available. Now this works on Windows XP but it doesnt in Vista, and i think
> its some security issue. I have turned of UAC and have no third party
> firewall. The intranet is available but the internet is not. Googled for a
> solution but it doenst seem like there is one and its a know issue for many
> people.Please advice if you have any thoughts on this.
>
> Thank you.
>
> Martin Rhodin
>
>
>
 
I've found a work around for this. Instead of using the CMAK Rounting
Table update, ues the Classless Static Routes DHCP Option.

USING THE CLASSLESS STATIC ROUTES DHCP OPTION

Windows 2000, Windows XP, and Windows Server 2003-based VPN clients
send a DHCPInform message to the VPN server, requesting a set of DHCP
options. This is done so that the VPN client can obtain an updated list
of DNS and WINS servers and a DNS domain name that is assigned to the
VPN connection. The DHCPInform message is forwarded to a DHCP server on
the organization intranet by the VPN server and the response is sent
back to the VPN client.
Windows XP and Windows Server 2003-based VPN clients include the
Classless Static Routes DHCP option in their list of requested DHCP
options. If configured on the DHCP server, the Classless Static Routes
DHCP option contains a set of routes representing the address space of
your intranet. These routes are automatically added to the routing table
of the requesting client when it receives the response to the DHCPInform
message and automatically removed when the VPN connection is
terminated.
The Windows Server 2003 DHCP Server service supports the configuration
of the Classless Static Routes option (option number 249).

To use the Classless Static Routes option for split tunneling,
configure this option for the scope that corresponds to the intranet
subnet to which the VPN server is connected. Next, add the set of routes
that correspond to the summarized address space of your organization
intranet. For example, if you use the private IP address space for your
organization intranet, the Classless Static Routes option would have the
following three routes:

- 10.0.0.0 with the subnet mask of 255.0.0.0
- 172.16.0.0 with the subnet mask of 255.240.0.0
- 192.168.0.0 with the subnet mask of 255.255.0.0The Router IP address for each route added to the Classless Static
Routes option should be set to the IP address of a router interface on
the intranet subnet to which the VPN server is connected. For example,
if the VPN server is connected to the intranet subnet 10.89.211.0/24 and
the IP address of the intranet router on this subnet is 10.89.21.1, then
set the Router IP address for each route to 10.89.21.1.

NOTE:

Do _not_ set the VPN connection to be the default gateway.

You will also need Vista SP1 or this 'You cannot use a remote access
server to apply DHCP options to a Windows Vista-based computer'
(http://support.microsoft.com/kb/933340/) hotfix.

hope this helps


--
jasonpgreen
 
Hi, I'm having this problem also and would love to get it solved as more
people are trying to connect to our vpn using Vista. I'm a bit confused
at the above explaination. My vpn server is an Windows 2003 appliance
with a custom front end. I'm not sure how to modify the DHCP scope in
the way decribed. Any help would be appreciated.

Thanks
Tim


--
timinator
 
Hi Tim,

If you are using Windows 2003 standard Routing and Remote Access, then
you just need to set it, in properties, to assign IP addresses via DHCP.
Then add the Classless Static routes in the Windows 2003 DHCP server.

Cheers

Jason


--
jasonpgreen
 
Jason, the server does supply addresses via DHCP. And also static
routes. The front creates the connectoid using CMAK. Here is at look at
the routes added by CMAK during the wizard.

REMOVE_GATEWAY
ADD 172.17.0.0 MASK 255.255.0.0 default METRIC default IF default
ADD 172.18.1.10 MASK 255.255.255.255 default METRIC default IF default
ADD 192.99.99.163 MASK 255.255.255.255 default METRIC default IF
default

but on connection from the client, Vista will not allow these commands
to run.

Thanks
Tim


--
timinator
 
Hi Tim,

You need to recreate the CMAK.

1. Remove the part that adds the routes:
REMOVE_GATEWAY
ADD 172.17.0.0 MASK 255.255.0.0 default METRIC default IF default
ADD 172.18.1.10 MASK 255.255.255.255 default METRIC default IF default
ADD 192.99.99.163 MASK 255.255.255.255 default METRIC default IF
default

2. Make sure you do _not_ select the CMAK VPN as the default route.

Then add the Classless Static Routes to you DHCP server as I descibed
previously. Then the DHCP serve will provide the required static
routes.

Cheers

Jason


--
jasonpgreen
 
Thanks for that info. I'm still not sure where to add the classless
routes? Is it the server's static routes?


Thanks


--
timinator
 
I'm not abe to get to that module. The "Manage your Server" or
"Configure your Server wizard" are not available in "Adminstrative
Tools". Is there a run command to get there?

Thanks


--
timinator
 
On the server running your dhcp server, click on Start -> Admin Tools ->
DHCP

Cheers

Jason


--
jasonpgreen
 
Back
Top