All of my users are running XP so they use the built in PPTP VPN client. When they log in, they get connected just fine, however, their default gateway is over written to be the VPN IP address, hence, they are only able to access things on the VPN, and not able to surf the web...
I know how to fix this problem, but I don't like the solution. The solution is to not accept the default gateway from the PIX VPN, and then manually add the route to the internal VPN network to the client per the address its assigned by the PIX:
client gets address 10.1.1.10 from PIX
route add 10.1.1.0 mask 255.255.255.0 10.1.1.10
at the command prompt.
This works fine, however, the users must manually type this in each time they connect to the pix, and change the gateway value from 10.1.1.10 to which ever address they were assigned by the pix (which changes every time they connect since its a pool of address (ip local pool command)).
Is there a a way to have a static default gateway that all PPTP clients can use, that way they can add the static route to their XP machines to:
route add 10.1.1.0 mask 255.255.255.0 10.1.1.1
and never have to modify it again? With the MS VPN, the VPN server always uses the first IP in the pool of addresses to be the default gateway for the PPTP clients, but the PIX just assigns the IP address asigned to the client, as its default gateway.
Is there a cisco pptp client which does all of this automatically? I really need to have my users be able to surf the web while VPNed in, without having to train them to add static routes. Please keep in mind, that IPSEC VPNing is out of the question, as all of my users perform NAT in their home networks.
If you want to use the windows built in client you can create a .reg file that automatically adds all the possible routes as static entries on the client machines. We have a pool of 40 addresses for vpn clients so I created a static entry for all 40 possible routes to the internal network, and then exported the reg key. This does make the route table on the client look ugly, but it doesn't slow anything down.
The key is Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\persistentroutes
Then just run the exported .reg file on each client to permanently add all the possible routes. Works great for our consultants who need to be able to hit internet sites while vpn'd in to our network.
I agree there are ways to make the routes easier to apply client wise, but what do you put in for the default gateway for all of those persistent routes? My understanding is that it must be the IP address assigned to the PPTP client by the pix (which for me changes every time I VPN in since the addresses come from an IP Pool).
The idea is, you put a persistent route on each client for every possible IP address that could be assigned by the PIX. So, if your config is -
ip local pool vpn 172.16.1.1-172.16.1.25
make the .reg file add a persistent route to your internal network with each one of those as a default route. The .reg file will only need to be executed one time on each of your vpn clients and it will work for any of the addresses assigned by the pix. As long as you never change the IP range the pix doles out to the vpn clients your users will never have to add another static route, or execute the .reg file again.
Here's an example of the .reg file I use. 172.16.0.0 is our internal network, and 172.17.1.0 is the PIX assigned IP range for VPN clients. The 3 represents the metric.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :