Re: PPTP Default Gateway

jdepies · ‎04-22-2003

Hello,

Running 6.3.1 on a 515 PIX.

All of my users are running XP so they use the built in PPTP VPN client. When they log in, they get connected just fine, however, their default gateway is over written to be the VPN IP address, hence, they are only able to access things on the VPN, and not able to surf the web...

I know how to fix this problem, but I don't like the solution. The solution is to not accept the default gateway from the PIX VPN, and then manually add the route to the internal VPN network to the client per the address its assigned by the PIX:

I.E.:

client gets address 10.1.1.10 from PIX

then:

route add 10.1.1.0 mask 255.255.255.0 10.1.1.10

at the command prompt.

This works fine, however, the users must manually type this in each time they connect to the pix, and change the gateway value from 10.1.1.10 to which ever address they were assigned by the pix (which changes every time they connect since its a pool of address (ip local pool command)).

Is there a a way to have a static default gateway that all PPTP clients can use, that way they can add the static route to their XP machines to:

route add 10.1.1.0 mask 255.255.255.0 10.1.1.1

and never have to modify it again? With the MS VPN, the VPN server always uses the first IP in the pool of addresses to be the default gateway for the PPTP clients, but the PIX just assigns the IP address asigned to the client, as its default gateway.

Is there a cisco pptp client which does all of this automatically? I really need to have my users be able to surf the web while VPNed in, without having to train them to add static routes. Please keep in mind, that IPSEC VPNing is out of the question, as all of my users perform NAT in their home networks.

Hopefully this makes sense.

Thanks a lot

Jeff

0rsnaric · ‎04-22-2003

If you want to use the windows built in client you can create a .reg file that automatically adds all the possible routes as static entries on the client machines. We have a pool of 40 addresses for vpn clients so I created a static entry for all 40 possible routes to the internal network, and then exported the reg key. This does make the route table on the client look ugly, but it doesn't slow anything down.

The key is Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\persistentroutes

Then just run the exported .reg file on each client to permanently add all the possible routes. Works great for our consultants who need to be able to hit internet sites while vpn'd in to our network.

~rls

jdepies · ‎04-22-2003

Thanks for the post.

I agree there are ways to make the routes easier to apply client wise, but what do you put in for the default gateway for all of those persistent routes? My understanding is that it must be the IP address assigned to the PPTP client by the pix (which for me changes every time I VPN in since the addresses come from an IP Pool).

Thanks

Jeff

0rsnaric · ‎04-22-2003

The idea is, you put a persistent route on each client for every possible IP address that could be assigned by the PIX. So, if your config is -

ip local pool vpn 172.16.1.1-172.16.1.25

make the .reg file add a persistent route to your internal network with each one of those as a default route. The .reg file will only need to be executed one time on each of your vpn clients and it will work for any of the addresses assigned by the pix. As long as you never change the IP range the pix doles out to the vpn clients your users will never have to add another static route, or execute the .reg file again.

Here's an example of the .reg file I use. 172.16.0.0 is our internal network, and 172.17.1.0 is the PIX assigned IP range for VPN clients. The 3 represents the metric.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes]

"172.16.0.0,255.255.0.0,172.17.1.1,3"=""

"172.16.0.0,255.255.0.0,172.17.1.2,3"=""

"172.16.0.0,255.255.0.0,172.17.1.3,3"=""

"172.16.0.0,255.255.0.0,172.17.1.4,3"=""

"172.16.0.0,255.255.0.0,172.17.1.5,3"=""

"172.16.0.0,255.255.0.0,172.17.1.6,3"=""

"172.16.0.0,255.255.0.0,172.17.1.7,3"=""

"172.16.0.0,255.255.0.0,172.17.1.8,3"=""

"172.16.0.0,255.255.0.0,172.17.1.9,3"=""

"172.16.0.0,255.255.0.0,172.17.1.10,3"=""

"172.16.0.0,255.255.0.0,172.17.1.11,3"=""

"172.16.0.0,255.255.0.0,172.17.1.12,3"=""

"172.16.0.0,255.255.0.0,172.17.1.13,3"=""

"172.16.0.0,255.255.0.0,172.17.1.14,3"=""

"172.16.0.0,255.255.0.0,172.17.1.15,3"=""

"172.16.0.0,255.255.0.0,172.17.1.16,3"=""

"172.16.0.0,255.255.0.0,172.17.1.17,3"=""

"172.16.0.0,255.255.0.0,172.17.1.18,3"=""

"172.16.0.0,255.255.0.0,172.17.1.19,3"=""

"172.16.0.0,255.255.0.0,172.17.1.20,3"=""

~rls

jdepies · ‎04-22-2003

I got it, thanks.

Do you know if cisco makes a pptp client that does this automatically?

0rsnaric · ‎04-22-2003

Not at this time. I went the TAC route initially and was told to either use the Cisco ipsec client with split tunneling, or live with it. So I came up with this fix for our consultants.

I'd just use the Cisco client, but it conflicts with many of our customer vpn solutions.

~rls

jdepies · ‎04-22-2003

I am not familiar with split tunnelling, did cisco give you a link to help implement it in your environment?

Thanks a lot for all your help

Jeff

0rsnaric · ‎04-22-2003

They didn't provide a link, but you shouldn't have any problem finding information on this web site. Just do a search for split-tunnel.

Also, this is a link I keep bookmarked for finding info on the PIX -

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration#Software_Samples_and_Tips

You configure split-tunneling on the pix with a line similar to this -

vpngroup groupname split-tunnel 100

where 100 is the access-list that provides access between your vpn pool and internal network.

Again, this is only for IPSec clients. You can find configuration information in the PIX users guide also.

~rls