|
Home > Archive > VPN > October 2005 > VPN connection kills Internet Connection
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
VPN connection kills Internet Connection
|
|
| Bailey 2005-10-10, 5:48 pm |
| Running Win2K Pro. I have a successful connection to my company's
VPN from my home office (No home network, a standalone box connected
to DSL).
When I make the connection through the VPN all other Internet
traffic dies. I can't use a browser, e-mail prog, instant messenger,
etc.
As soon as I disconnect the VPN connection all regular traffic is
restored.
I've gone over settings with our IT department, who checked with our
firewall manufacturer for any clues. All my Windows network settings
seem to be correct. I have the VPN address set up as a trusted site
with Zone Alarm.
Any thoughts from anyone would be appreciated.
--
Jeff Bailey
jeff[at]baileyjs.com
www.baileyjs.com
My System Info:
Win2k Pro, Soyo K7VTA Pro, AMD Duron 900mhz, 768MB ram,
ATI All-in-Wonder 128 video card,
Opera 8.5, Agent 3.1, Trillian Pro 3.1,
Zone Alarm, AVG Anti-Virus
and a lot of other crap.
| |
| Jerry Bacon 2005-10-10, 5:48 pm |
| Bailey <usenet@baileyjs.com> wrote in news:didqn20rug@news2.newsguy.com:
> Running Win2K Pro. I have a successful connection to my company's
> VPN from my home office (No home network, a standalone box connected
> to DSL).
>
> When I make the connection through the VPN all other Internet
> traffic dies. I can't use a browser, e-mail prog, instant messenger,
> etc.
>
> As soon as I disconnect the VPN connection all regular traffic is
> restored.
If you are using the built-in VPN, go to the Networking tab, select TCP/IP,
click on Properties, then Advanced. On the General tab, uncheck the "Use
default gateway ..." box.
| |
| Bailey 2005-10-10, 5:48 pm |
| On Mon, 10 Oct 2005 14:37:56 GMT, Jerry Bacon
<jbacon-no@spam-telcomplus.net> typed:
>Bailey <usenet@baileyjs.com> wrote in news:didqn20rug@news2.newsguy.com:
>
>
>If you are using the built-in VPN, go to the Networking tab, select TCP/IP,
>click on Properties, then Advanced. On the General tab, uncheck the "Use
>default gateway ..." box.
Hi Jerry;
I tried that. The problem there is that when it's unchecked I can
login to the VPN, but the application I need to use can't find the
192.168.xxx.xxx server address on the company network to login,
rendering the connection useless.
It's an either/or thing. I either:
1) Have Internet connection and no useful VPN connection to use the
company application.
2) A working VPN Connection to successfully use the company
application, but no use of other Internet applications.
--
Jeff Bailey
jeff[at]baileyjs.com
www.baileyjs.com
My System Info:
Win2k Pro, Soyo K7VTA Pro, AMD Duron 900mhz, 768MB ram,
ATI All-in-Wonder 128 video card,
Opera 8.5, Agent 3.1, Trillian Pro 3.1,
Zone Alarm, AVG Anti-Virus
and a lot of other crap.
| |
| Martin Bodenstedt 2005-10-11, 7:47 am |
| Bailey schrieb:
> When I make the connection through the VPN all other Internet
> traffic dies. I can't use a browser, e-mail prog, instant messenger,
> etc.
Which is at it should be:
One your VPN tunnel is up and running *all* traffic must go through your
company's internet connection.
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
| Bailey 2005-10-11, 7:47 am |
| On Tue, 11 Oct 2005 08:44:27 +0200, Martin Bodenstedt
<martin.bodenstedt@gmx.de> typed:
>Bailey schrieb:
>
>
>Which is at it should be:
>
>One your VPN tunnel is up and running *all* traffic must go through your
>company's internet connection.
Interesting. I was under the impression that connections remained
separate. Which makes it even more confusing because other
co-workers can use their other applications while connected through
the VPN. I seem to be the exception to the rule.
--
Jeff Bailey
jeff[at]baileyjs.com
www.baileyjs.com
My System Info:
Win2k Pro, Soyo K7VTA Pro, AMD Duron 900mhz, 768MB ram,
ATI All-in-Wonder 128 video card,
Opera 8.5, Agent 3.1, Trillian Pro 3.1,
Zone Alarm, AVG Anti-Virus
and a lot of other crap.
| |
| Martin Bodenstedt 2005-10-11, 7:47 am |
| Bailey schrieb:
> On Tue, 11 Oct 2005 08:44:27 +0200, Martin Bodenstedt
> <martin.bodenstedt@gmx.de> typed:
[vbcol=seagreen]
> Interesting. I was under the impression that connections remained
> separate. Which makes it even more confusing because other
> co-workers can use their other applications while connected through
> the VPN. I seem to be the exception to the rule.
You should be able to use your applications as long as you don't need
your own lan.
Internet should be accessible through your company's firewall (you might
have to set a proxy though).
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
| Bailey 2005-10-11, 7:47 am |
| On Tue, 11 Oct 2005 12:34:23 +0200, Martin Bodenstedt
<martin.bodenstedt@gmx.de> typed:
>Bailey schrieb:
>
>
>
>You should be able to use your applications as long as you don't need
>your own lan.
>
>Internet should be accessible through your company's firewall (you might
>have to set a proxy though).
Martin;
That's the odd thing. I can't access the Internet through the
company's firewall either. And as far as we can determine a proxy
isn't necessary, though I will bring that issue up again today.
Thanks for your ideas.
--
Jeff Bailey
jeff[at]baileyjs.com
www.baileyjs.com
My System Info:
Win2k Pro, Soyo K7VTA Pro, AMD Duron 900mhz, 768MB ram,
ATI All-in-Wonder 128 video card,
Opera 8.5, Agent 3.1, Trillian Pro 3.1,
Zone Alarm, AVG Anti-Virus
and a lot of other crap.
| |
| Martin Bodenstedt 2005-10-12, 5:59 pm |
| Bailey schrieb:
> On Tue, 11 Oct 2005 12:34:23 +0200, Martin Bodenstedt
> <martin.bodenstedt@gmx.de> typed:
[vbcol=seagreen]
> Martin;
> That's the odd thing. I can't access the Internet through the
> company's firewall either. And as far as we can determine a proxy
> isn't necessary, though I will bring that issue up again today.
> Thanks for your ideas.
Can you ping anything on the other side?
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
|
| Bailey wrote:
> On Tue, 11 Oct 2005 12:34:23 +0200, Martin Bodenstedt
> <martin.bodenstedt@gmx.de> typed:
>
>
>
>
> Martin;
> That's the odd thing. I can't access the Internet through the
> company's firewall either. And as far as we can determine a proxy
> isn't necessary, though I will bring that issue up again today.
> Thanks for your ideas.
Windows VPN like pptp or l2tp/ipsec do allow you to go the split route
option (uncheck use default gateway on remote network under
tcpip/advanced properties), so that local lan traffic still stays local,
and only traffic for the subnet that the VPN server has given you an
address on goes down the tunnel. It could be that the remote site has
more than one subnet, so in this case by default the traffic won't get
there. You can drop to a cmd prompt though and add in the additional
subnets as routes via the tunnel ;)
Bit of a pain as normally you will get a different IP address each time
you connect there, but this can be automated/semi automated with a batch
file.
Simon
| |
|
| Simon wrote:
> Bailey wrote:
>
>
>
>
> Windows VPN like pptp or l2tp/ipsec do allow you to go the split route
> option (uncheck use default gateway on remote network under
> tcpip/advanced properties), so that local lan traffic still stays local,
> and only traffic for the subnet that the VPN server has given you an
> address on goes down the tunnel. It could be that the remote site has
> more than one subnet, so in this case by default the traffic won't get
> there. You can drop to a cmd prompt though and add in the additional
> subnets as routes via the tunnel ;)
> Bit of a pain as normally you will get a different IP address each time
> you connect there, but this can be automated/semi automated with a batch
> file.
> Simon
Oh and if you tell us the subnets/addresses you need to get to and the
subnet masks involved that would help, 192.x.x.x networks aren't routed
on the net so it's not a security problem ;)
Simon
| |
| Mike Drechsler - SPAM PROTECTED EMAIL 2005-10-12, 5:59 pm |
| Bailey wrote:
> On Tue, 11 Oct 2005 12:34:23 +0200, Martin Bodenstedt
> <martin.bodenstedt@gmx.de> typed:
>
>
>
>
> Martin;
> That's the odd thing. I can't access the Internet through the
> company's firewall either. And as far as we can determine a proxy
> isn't necessary, though I will bring that issue up again today.
> Thanks for your ideas.
If the company firewall is not routing the data to the internet, then
they may be able to change the configuration to allow this. On
equipment I have used, if the default settings didn't do it, then I
usually need to create a separate NAT rule to translate traffic on the
VPN virtual interfaces as a separate rule.
If you are using the built in Windows PPTP/L2TP client. You could also
build a package using the dialup network administration kit tool that is
in Windows 2003 server to create a connectoid that includes the option
to not use default gateway on remote network but also includes some
static route entries for the VPN to allow you access into other subnets
on the company network. That's a task for your network administrator
though, but you could mention it.
Generally though, best practises dictate that while you are connected
through the company network you should be using the company firewall to
prevent attacks on your machine from giving the remote attacker access
to your active VPN connections. At least if the attacker does the
attack through the company firewall then it's a problem that would have
happened if you were on the VPN or at work so nobody can blame the VPN
for causing a problem that wouldn't have happened otherwise.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
| |
| Joe Beasley 2005-10-12, 5:59 pm |
| You have multiple subnets at work, but the vpn is not giving you a route to them.
First, find out what your IP address is for the vpn. (ipconfig)
second, add a route to the 192 network. (route add 192.168.0.0 netmask 255.255.0.0 your_vpn_ip)
"route print" would be helpful to determine what the problem is.
| |
| Martin Bodenstedt 2005-10-13, 5:54 pm |
| Simon schrieb:
> It could be that the remote site has
> more than one subnet, so in this case by default the traffic won't get
> there. You can drop to a cmd prompt though and add in the additional
> subnets as routes via the tunnel ;)
> Bit of a pain as normally you will get a different IP address each time
> you connect there, but this can be automated/semi automated with a batch
> file.
Excuse me.
The *external* IP address changes which is irrelevant to the routing
*inside* the VPN (and even if you are assigned a different vpn internal
IP - Address each time the tunnel is opened, that should not be a problem).
If You have to reach several IP subnets within your vpn why not set the
default gateway of your VPN subnet to the vpn gateway at headquarters?
Btw, split tunneling is a security headache for several reasons:
Consider your remote PC connected to a local LAN with one or more pcs
being virus infected. What would these pcs stop from misusing the vpn
connected pc to send stuff out through your vpn (remember: viruses need
not use the IP protocol but could use netbios rpc as well)?
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
| Martin Bodenstedt 2005-10-13, 5:54 pm |
| Joe Beasley schrieb:
> You have multiple subnets at work, but the vpn is not giving you a route to them.
>
> First, find out what your IP address is for the vpn. (ipconfig)
>
> second, add a route to the 192 network. (route add 192.168.0.0 netmask 255.255.0.0 your_vpn_ip)
>
> "route print" would be helpful to determine what the problem is.
Your VPN internal IP address should not come from the same subnet as
your external IP address and should use the vpn gateway as default
geatway...
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
| Graham Murray 2005-10-24, 9:35 am |
| Martin Bodenstedt <martin.bodenstedt@gmx.de> writes:
> Which is at it should be:
>
> One your VPN tunnel is up and running *all* traffic must go through your
> company's internet connection.
Why? If the company LAN is (for example) 192.168.1.0/24 then why
should it not route to 192.168.1.0/24 via the VPN and leave the
default route as the normal ISP/DSL connection?
| |
| Martin Bodenstedt 2005-10-24, 9:35 am |
| Graham Murray schrieb:
> Martin Bodenstedt <martin.bodenstedt@gmx.de> writes:
>
>
>
>
> Why? If the company LAN is (for example) 192.168.1.0/24 then why
> should it not route to 192.168.1.0/24 via the VPN and leave the
> default route as the normal ISP/DSL connection?
For security reasons:
in your example you have an insecure link (outside the control of your
company's network administrator, that is) from the internet through your
pc to the company network.
You could - for example - have spyware on your PC that is logging your
work for the company and sending it out via your own internet connection
without your company ever getting wind of it...
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
|
|
|
|
|