WinXP VPN & routing / default GW

Post #48,870 by kmself 8/9/02 7:10:12 PM Reply	WinXP VPN & routing / default GW Set up a user with VPN last night, today she's unable to send mail...can't connect to the outbound SMTP transport. I check a couple of things, and try disabling the VPN. Voila, mail sends. I suspect routing -- default gw is being set through the VPN? I'm researching this now, but would appreciate getting upsided the head by anyone with a cluestick handy. TIA. -- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] [link\|http://kmself.home.netcom.com/\|[link\|http://kmself.home.netcom.com/\|http://kmself.home.netcom.com/]] What part of "gestalt" don't you understand? [link\|http://twiki.iwethey.org/twiki/bin/view/Main/\|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever. Keep software free. Oppose the CBDTPA. Kill S.2048 dead. [link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|[link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|http://www.eff.org/...a_alert.html]]
Post #48,871 by kmself 8/9/02 7:24:15 PM Reply	Answering self via IBM's Redbook Excellent ref. Yes, MSFT sets default gateway via VPN: [link\|http://www.redbooks.ibm.com/tstudio/vpn/setupw2k/dftroute.htm\|[link\|http://www.redbooks.ibm.com/tstudio/vpn/setupw2k/dftroute.htm\|http://www.redbooks...dftroute.htm]]. -- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] [link\|http://kmself.home.netcom.com/\|[link\|http://kmself.home.netcom.com/\|http://kmself.home.netcom.com/]] What part of "gestalt" don't you understand? [link\|http://twiki.iwethey.org/twiki/bin/view/Main/\|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever. Keep software free. Oppose the CBDTPA. Kill S.2048 dead. [link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|[link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|http://www.eff.org/...a_alert.html]]
Post #48,905 by Steve Lowe 8/10/02 12:36:39 AM Reply	Run into that one Going to read the article you posted.. I connect to work from via PPTP (win2k>win2k). In the preferences, you can turn off the default gateway switch (like the redbook article says) and add your own routes using the command line. I have to connect to a host that's visible from our internal LAN, but on a different network, via telnetso I just add a route to that host after making the VPN connection as below. Also, I want to be able to surf, ssh out other shell accounts, etc without all my traffic going across the work network (I can't ssh out through our firewall at work..but I can FTP..). When this is done, I use my home LAN and connection for everything except what's on the 172.30.x.x network, and the one 192.168.204.12 host C:\\>route print =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x1000003 ...00 d0 59 2e ca 8c ...... Intel(R) PRO Adapter 0x2000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.114 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 172.30.0.0 255.255.0.0 172.30.12.248 172.30.12.248 1 172.30.12.248 255.255.255.255 127.0.0.1 127.0.0.1 1 172.30.12.254 255.255.255.255 172.30.12.248 172.30.12.248 1 172.30.255.255 255.255.255.255 172.30.12.248 172.30.12.248 1 192.168.100.0 255.255.255.0 192.168.100.114 192.168.100.114 1 192.168.100.114 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.100.255 255.255.255.255 192.168.100.114 192.168.100.114 1 208.2.155.4 255.255.255.255 192.168.100.1 192.168.100.114 1 224.0.0.0 224.0.0.0 172.30.12.248 172.30.12.248 1 224.0.0.0 224.0.0.0 192.168.100.114 192.168.100.114 1 255.255.255.255 255.255.255.255 192.168.100.114 192.168.100.114 1 Default Gateway: 192.168.100.1 =========================================================================== Persistent Routes: None C:\\>route add 192.168.204.12 mask 255.255.255.255 172.30.12.248 C:\\>route print =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x1000003 ...00 d0 59 2e ca 8c ...... Intel(R) PRO Adapter 0x2000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.114 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 172.30.0.0 255.255.0.0 172.30.12.248 172.30.12.248 1 172.30.12.248 255.255.255.255 127.0.0.1 127.0.0.1 1 172.30.12.254 255.255.255.255 172.30.12.248 172.30.12.248 1 172.30.255.255 255.255.255.255 172.30.12.248 172.30.12.248 1 192.168.100.0 255.255.255.0 192.168.100.114 192.168.100.114 1 192.168.100.114 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.100.255 255.255.255.255 192.168.100.114 192.168.100.114 1 192.168.204.12 255.255.255.255 172.30.12.248 172.30.12.248 1 208.2.155.4 255.255.255.255 192.168.100.1 192.168.100.114 1 224.0.0.0 224.0.0.0 172.30.12.248 172.30.12.248 1 224.0.0.0 224.0.0.0 192.168.100.114 192.168.100.114 1 255.255.255.255 255.255.255.255 192.168.100.114 192.168.100.114 1 Default Gateway: 192.168.100.1 =========================================================================== Persistent Routes: None C:\\> ----- Steve
Post #49,312 by kmself 8/14/02 1:09:10 AM Reply	OK, continued problems...can't hit the shares I suspect routing. Though I'm getting this both ways now.... I can now get out to the rest of the net. But I can't see my local shares when browsing with the default gateway via the VPN disabled. Here's the way I understand the problem: Originally, pre-VPN, all traffic was routed in the open over the DSL connection. After configuring the VPN, all non-local (127, 192.168, etc.) traffic was routed through the VPN. Because we don't allow external SMPT access, mail couldn't be sent. Because the VPN will only be up some of the time, permanently rewiring SMTP is not desireable, though other options exist. Samba (SMB) file shares work at this point. After disabling default gateway, mail routes, but SMB doesn't. I'm doing all of this remotely via RAdmin, so I'm trying not to kill my connection in the process of rerouting things. I can get interface configurations, routing tables, and traceroute (ugh - tracert) output from each configuration, which is useful. The trick is going to be setting up a relatively (for MS Windows) complex routing table for a number of different locations. And bringing this up with the VPN. More below. So, for routing: The SMB server actually has its nameservice on the outside of the LAN (same host has five interfaces, four on LAN segments, one on the DMZ). DNS points to the external interface. I'm not sure if this is or isn't routeable on our network, though we haven't had this issue from the inside yet. I'll have to route all SMB traffic over the VPN. And make sure it's resolving to the proper interfaces. I'm not sure why this isn't happening. Actually, I'm a bit confused over what VPN's doing with the interface(s) in the first place. Additionally, 10.0.0.0 traffic wants the VPN. Our DMZ wants the VPN, as we treat things differently on the DMZ depending on whether they're coming from inside our outside. I'll have to route remaining external traffic over the DSL line, in the clear. I think I have a headache. I'm not particularly sure if WinXP has the flexibility to do all of this, and/or to bring up the interfaces and routing tables with the VPN. Interested to know if anyone else has seen a situation like this and has suggestions. -- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] [link\|http://kmself.home.netcom.com/\|[link\|http://kmself.home.netcom.com/\|http://kmself.home.netcom.com/]] What part of "gestalt" don't you understand? [link\|http://twiki.iwethey.org/twiki/bin/view/Main/\|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever. Keep software free. Oppose the CBDTPA. Kill S.2048 dead. [link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|[link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|http://www.eff.org/...a_alert.html]]

Welcome to IWETHEY!