|
Home > Archive > VPN > January 2006 > VPN Internet routing problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
VPN Internet routing problem
|
|
| ioevanc@gmail.com 2006-01-13, 9:22 pm |
| Hello
I have a Windows Server 2003 configured as a remote access VPN server.
Everything works perfectly, however when I connect from a client
machine to the VPN my internet connection get taken over by the
server's internet connection, anotherwords, not only it is routing my
LAN but also the internet connection the server is on.
Is it possible not to have the internet routed, just the LAN ? But
still be able to use client's internet connection ?
Thanks
| |
| Martin Bodenstedt 2006-01-13, 9:22 pm |
| ioevanc@gmail.com schrieb:
> Hello
>
> I have a Windows Server 2003 configured as a remote access VPN server.
> Everything works perfectly, however when I connect from a client
> machine to the VPN my internet connection get taken over by the
> server's internet connection, anotherwords, not only it is routing my
> LAN but also the internet connection the server is on.
This by design.
Once your VPN connection is open the VPN client should only allow
traffic through the tunnel for security reasons (keyword here is "Split
tunneling").
This also means that once Your PC has the VPN connection open the pc
cannot see the lan anymore (to protect the corporate network from being
infiltrated by rogue pcs...
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
|
| Martin Bodenstedt wrote:
> ioevanc@gmail.com schrieb:
>
>
>
> This by design.
>
> Once your VPN connection is open the VPN client should only allow
> traffic through the tunnel for security reasons (keyword here is "Split
> tunneling").
>
> This also means that once Your PC has the VPN connection open the pc
> cannot see the lan anymore (to protect the corporate network from being
> infiltrated by rogue pcs...
>
>
Martin is correct, however I'm sure you can still see the local subnet
Martin, it's only the default route that's affected.
With the windows client you can get round it though if you consider the
risks worthwhile, here's what I posted the other day in response to a
similar question
"Yes it's a security risk if the remote computer becomes compromised, as
the internet connection going out locally could allow a back door into
your network when the client vpn is connected. However with the ms
client you can open up split routing to do what you need, in the tcpip
properties of the remote PCs connection to you under advanced untick the
'use default gateway on remote network' then only traffic destined for
the subnet that the client vpn address gets goes down the tunnel, all
else goes out locally. If there is more than one subnet at your location
the remote clients would need to use the route add command to add the
additional routes needed. "
simon
| |
| ioevanc@gmail.com 2006-01-13, 9:22 pm |
| Thanks for your help, I apreciate it
Simon wrote:
> Martin Bodenstedt wrote:
> Martin is correct, however I'm sure you can still see the local subnet
> Martin, it's only the default route that's affected.
>
> With the windows client you can get round it though if you consider the
> risks worthwhile, here's what I posted the other day in response to a
> similar question
> "Yes it's a security risk if the remote computer becomes compromised, as
> the internet connection going out locally could allow a back door into
> your network when the client vpn is connected. However with the ms
> client you can open up split routing to do what you need, in the tcpip
> properties of the remote PCs connection to you under advanced untick the
> 'use default gateway on remote network' then only traffic destined for
> the subnet that the client vpn address gets goes down the tunnel, all
> else goes out locally. If there is more than one subnet at your location
> the remote clients would need to use the route add command to add the
> additional routes needed. "
> simon
| |
| ioevanc@gmail.com 2006-01-13, 9:22 pm |
| Thanks for your help !
| |
| Martin Bodenstedt 2006-01-13, 9:22 pm |
| Simon schrieb:
> Martin is correct, however I'm sure you can still see the local subnet
> Martin, it's only the default route that's affected.
That should not be the case as all local pcs (those in the same subnet)
could still use the tunnel which I as a corporate network admin would
never tolerate.
A good vpn client permits no traffic through the tunnel other than from
(or to) the local machine itself.
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
|
|
|
|
|