03-19-2007 09:30 AM
Home user needs to connect to Cisco VPNC via IPsec to access corporate network.
At his home, user connected to service provider using ethernet and private addressing 192.168.6.0/24.
To access an Internet, service provider requires user to establish PPTP to providers' server with address 192.168.1.1 via default gateway 192.168.6.254,
then user acquires public IP address.
After PPTP establishment, routing table changes.
Default gw points to PPTP peer,
except the host route to PPTP tunnel endpoint 192.168.1.1,
which still go via 192.168.6.254.
When user starts Cisco VPN Client,
he is successfully authenticated and establishes SA,
but Cisco VPN Client discards host route to PPTP endpoint (i.e. 192.168.1.1).
And after a small timeout both connection drop, PPTP and IPsec.
Is there any workaround for such a trouble?
03-19-2007 09:42 AM
IPSec connection will not work on a PPTP tunnel. AS it will encrypt the PPTP packet, and this way the ISP will drop it. Your PPTP connection will go down resulting in drop of your IPSEc connection as well.
You can use WebVPN though over PPTP.
*Please rate if it helped.
-Kanishka
03-19-2007 09:43 AM
SSL client will also not work. You have to use pure WebVPN connection.
03-19-2007 02:21 PM
Thanx a lot for a quick answer.
Nevertheless I cannot accept such a simple argument.
Not every packet sent out the computer network interface should be encrypted.
Packets sent out to the address of the VPNC itself are never encrypted once again.
So the same behavior should be with the packets sent out to PPTP endpoint.
Please, provide more details, why this does not happen.
Thanx in advance.
03-19-2007 02:51 PM
Hi,
The cisco vpn client can't run over another transport protocol. The vpn adapter
will be intercepting traffic and forwarding it over the vpn adaptor and over the ethernet
adaptor, even the pptp traffic. So the vpn client after it connects, it is encrypting the
pptp traffic and tries to send it to the concentrator. but then that breaks the pptp
connection, and after that goes down, ipsec itself breaks.
One workaround to get this working is to use Split-tunneling. That way PPTP traffic would be in clear text , rest all other traffic would be tunneled throug VPN adaptor.
I hope it answers your questions.
*Please rate if helped.
-Kanishka
03-19-2007 04:26 PM
Thanx a lot for your answer.
First of all, it's not possible to use split tunneling.
Because we serving 10K corporate users, and they are using too many different service providers.
This particular provider uses big ethernet network, which overlaps with our corporate addressing.
And there is no acceptable way to provide host root exception in split tunneling policy.
And there is limited routing table entries in split tunneling, not enough to accommodate all russian/israelis/etc providers.
According to routing table, unencrypted traffic passes directly to "Cisco Systems VPN Adapter".
In case of user manipulates routing table, there is "Deterministic Network Enhancer" protocol suit, binded to network adapter.
This protocol suit uses policy, loaded into it by "Cisco Systems VPN Client", when it connects to VPNC.
For Cisco VPN Client it's possible to determine, that particular WAN adapter is a PPTP connection,
and add additional policy to "Cisco Systems VPN Adapter" and "Deterministic Network Enhancer"
to except traffic destined to PPTP endpoint.
I assume the situation described is a bug in Cisco Systems VPN Client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide