Roadwarrior VPN [PPTP] - Internal routes distribution

Answered Question
May 6th, 2010

Hello, I have configured in a Cisco 1841 a small VPN concentrator, using PPTP and authenticating users in Active Directory using RADIUS.

Everything was simple and works great with the exception of one thing, distributing routes for the internal networks.

When the VPN comes up in the clients it is set by default that all traffic goes in the tunnel, not just the traffic for the internal networks, but also general traffic for the Internet. This is not what is desired so I configured the vpn connection (in windows clients) to ignore the default gateway inside the tunnel, but when I do that it just does not define any route to any of the internal networks, thus making them inaccessible.

I know I can then add routes manually...but that is not something I desire all users to do everytime they connect.

My question is: In Windows Active Directory I configured for my user, under the Dial In tab the option, define static routes for this user, and added some routes for my internal networks. Why aren't them distributed to the clients? Should they be distributed? I get a little confused with this because in the Cisco I configure only the radius server for authentication, I find it strange that the same server will be used to distribute other information to the clients...like routing information.

Does anyone has a Roadwarrior vpn cenário similar to this? How did you solve it?


PS: Under linux I solved it because the VPN client allows me to select which routes I want to add in that connection automatically, not perfect but its a solution. However under windows I have no such option, and if possible I would prefer not to install third party applications to solve this.

Thank you

Correct Answer by Jennifer Halim about 6 years 9 months ago

Here is the Microsoft article for your reference:

http://technet.microsoft.com/en-us/library/bb878117.aspx

Alternatively, you can configure a batch file to configure the static routes on your PC (second last question):

http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_q_and_a_item09186a00800946ef.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Sat, 05/08/2010 - 01:51

Unfortunately with PPTP, you can't configure split tunnel on the PPTP server like IPSec where the split tunnel routes get injected back to the VPN Client.

With PPTP, here is what you can do apart from manually configuring routes on the client:

- Check what is your internal network major subnet. Let's assume that it's 192.168.0.0/16.

- What you can do is to configure the ip pool subnet to be in the same major subnets as your internal network. Choose a unique subnet from 192.168.0.0/16, for example: if your internal subnet is 192.168.1.0/24 and 192.168.5.0/24, configure the PPTP ip pool subnet to be in 192.168.8.0/16

It's important that you configure mask of /16 for the ip pool subnet.

- By configuring mask of /16 for the ip pool, it will create route of 192.168.0.0/16 to be routed towards the VPN tunnel, and when you disable the default gateway on the client, you can achieve split tunnelling for everything else but 192.168.0.0/16 (which will be routed towards the tunnel).

Hope that helps.

nibauramos Sat, 05/08/2010 - 04:11

  From where I am I can't test that scenario, but will test it has soon has possible, however I have one question, if my local computer will think that the VPN subnet is 192.168.0.0/16 then when I try to send data to for example 192.168.7.2 it will try to send this has if it was a local connection, not using any gateway, thus won't it fail? I believe it will try to ARP the 192.168.7.2 and get no response? Or does this works differently?

Thanks for the help!

nibauramos Sat, 05/08/2010 - 04:15

By the way, aren't there any alternative clients for Microsoft Windows for PPTP connections? If I could specify the routes manually in the client it would be great, under my own computer (Fedora Core) the application that manages this connections lets me specify what networks to route and that is a perfectly acceptable solution I just wished Microsoft had remembered this.

nibauramos Sat, 05/08/2010 - 08:22

I've been searching the web, I still have to try this but using dhcp option 121 or 249 seems like a great solution, just still haven't checked if it is supported by most dhcp servers and clients.

I'll test everything and then post the results

Thank you

nibauramos Wed, 05/12/2010 - 12:54

Hello,

It isn't perfect but it is working!

For VPN connections that have only one local network to be accessed through the VPN then under windows just disable the accept default gateway in TCP/IP options and everything works normal.

The real problem was when I had to access multiple network segments behind my VPN tunnel, and for that what I did was:

Instead of using in the virtual-template configuration a local pool (peer default ip address pool VPN_POOL) I used a DHCP pool: peer default ip  address dhcp-pool VPN_ROADWARRIORS

So when I connect now I receive all the information for my connection from the DHCP pool.

In the DHCP pool I added something I read in RFC 3442 (http://www.faqs.org/rfcs/rfc3442.html):

   option 249 ip 24.192.168.6 192.168.252.254 24.192.168.2 192.168.252.254

This basically tells my DHCP clients that network 192.168.6.0/24 has gateway 192.168.252.254 (my VPN gateway local address ) and then adds a second route to the same gateway for network 192.168.2.0/24.

The pool stayed like this:

ip dhcp pool VPN_ROADWARRIORS
   network 192.168.252.0 255.255.255.0
   dns-server MYDNSSERVER
   default-router 192.168.252.254
   domain-name MYDOMAIN

   option 249 ip 24.192.168.6 192.168.252.254 24.192.168.2 192.168.252.254
   option 121 ip 24.192.168.6 192.168.252.254 24.192.168.2 192.168.252.254

I added not just the option 249 but also 121 because I was hoping option 121 in DHCP would be recognized under my Linux clients... but had no luck, only option 249 was accepted by windows clients, however that is enough for now! Linux users normally take care of themselves in this situations

When a windows users connects it receives the address and in a few seconds (not instantaniously) learns the routes I defined in the DHCP pool, and works perfectly! Internet access remains in my local gateway, and my internal networks go all the way in the VPN tunnel.

For some reason now it isn't accepting the DNS server I have in the pool...still havn't figured out why, but probably isn't anything to worrie about.

Thank you for all the help that directed me to this solution!

Actions

This Discussion