Vista - Split tunneling with cmak

11-15-2007

Hi

I have made a cmak vpn connection, wich have added some routes and removed
the default gateway so both intranet and the user's own internet gateway is
available. Now this works on Windows XP but it doesnt in Vista, and i think
its some security issue. I have turned of UAC and have no third party
firewall. The intranet is available but the internet is not. Googled for a
solution but it doenst seem like there is one and its a know issue for many
people.Please advice if you have any thoughts on this.

Thank you.

Martin Rhodin

11-25-2007

Hi,

I have got a workaround for this issue. While installing the dialer make
sure that it is installed using "My use only" option which is default. Next,
I haven't tried this with UAC disabled, it works for sure when UAC is
enabled. Try it let me know the status.

Thanks

Ashish Pingle

"Martin Rhodin" wrote:

Quote:

> Hi
>
> I have made a cmak vpn connection, wich have added some routes and removed
> the default gateway so both intranet and the user's own internet gateway is
> available. Now this works on Windows XP but it doesnt in Vista, and i think
> its some security issue. I have turned of UAC and have no third party
> firewall. The intranet is available but the internet is not. Googled for a
> solution but it doenst seem like there is one and its a know issue for many
> people.Please advice if you have any thoughts on this.
>
> Thank you.
>
> Martin Rhodin
>
>
>

**jasonpgreen** · 04-03-2008

I've found a work around for this. Instead of using the CMAK Rounting Table update, ues the Classless Static Routes DHCP Option.

Using the Classless Static Routes DHCP Option

Windows 2000, Windows XP, and Windows Server 2003-based VPN clients send a DHCPInform message to the VPN server, requesting a set of DHCP options. This is done so that the VPN client can obtain an updated list of DNS and WINS servers and a DNS domain name that is assigned to the VPN connection. The DHCPInform message is forwarded to a DHCP server on the organization intranet by the VPN server and the response is sent back to the VPN client.
Windows XP and Windows Server 2003-based VPN clients include the Classless Static Routes DHCP option in their list of requested DHCP options. If configured on the DHCP server, the Classless Static Routes DHCP option contains a set of routes representing the address space of your intranet. These routes are automatically added to the routing table of the requesting client when it receives the response to the DHCPInform message and automatically removed when the VPN connection is terminated.
The Windows Server 2003 DHCP Server service supports the configuration of the Classless Static Routes option (option number 249).

To use the Classless Static Routes option for split tunneling, configure this option for the scope that corresponds to the intranet subnet to which the VPN server is connected. Next, add the set of routes that correspond to the summarized address space of your organization intranet. For example, if you use the private IP address space for your organization intranet, the Classless Static Routes option would have the following three routes:

10.0.0.0 with the subnet mask of 255.0.0.0
172.16.0.0 with the subnet mask of 255.240.0.0
192.168.0.0 with the subnet mask of 255.255.0.0

The Router IP address for each route added to the Classless Static Routes option should be set to the IP address of a router interface on the intranet subnet to which the VPN server is connected. For example, if the VPN server is connected to the intranet subnet 10.89.211.0/24 and the IP address of the intranet router on this subnet is 10.89.21.1, then set the Router IP address for each route to 10.89.21.1.

Note:

Do not set the VPN connection to be the default gateway.

You will also need Vista SP1 or this You cannot use a remote access server to apply DHCP options to a Windows Vista-based computer hotfix.

hope this helps

timinator · 05-16-2008

Hi, I'm having this problem also and would love to get it solved as more people are trying to connect to our vpn using Vista. I'm a bit confused at the above explaination. My vpn server is a Windows 2003 appliance with a custom front end. I'm not sure how to modify the DHCP scope in the way decribed. Any help would be appreciated.

Thanks
Tim

**jasonpgreen** · 05-19-2008

Hi Tim,

If you are using Windows 2003 standard Routing and Remote Access, then you just need to set it, in properties, to assign IP addresses via DHCP. Then add the Classless Static routes in the Windows 2003 DHCP server.

Cheers

Jason

timinator · 05-19-2008

Jason, the server does supply addresses via DHCP. And also static routes. The front creates the connectoid using CMAK. Here is at look at the routes added by CMAK during the wizard.

REMOVE_GATEWAY
ADD 172.17.0.0 MASK 255.255.0.0 default METRIC default IF default
ADD 172.18.1.10 MASK 255.255.255.255 default METRIC default IF default
ADD 192.99.99.163 MASK 255.255.255.255 default METRIC default IF default

but on connection from the client, Vista will not allow these commands to run.

Thanks
Tim

**jasonpgreen** · 05-22-2008

Hi Tim,

You need to recreate the CMAK.

1. Remove the part that adds the routes:
REMOVE_GATEWAY
ADD 172.17.0.0 MASK 255.255.0.0 default METRIC default IF default
ADD 172.18.1.10 MASK 255.255.255.255 default METRIC default IF default
ADD 192.99.99.163 MASK 255.255.255.255 default METRIC default IF default

2. Make sure you do not select the CMAK VPN as the default route.

Then add the Classless Static Routes to you DHCP server as I descibed previously. Then the DHCP serve will provide the required static routes.

Cheers

Jason

timinator · 05-22-2008

Thanks for that info. I'm still not sure where to add the classless routes? Is it the server's static routes?

Thanks

**jasonpgreen** · 05-22-2008

Take a look at the attached screen shot.

Jason

timinator · 05-22-2008

I'm not abe to get to that module. The "Manage your Server" or "Configure your Server wizard" are not available in "Adminstrative Tools". Is there a run command to get there?

Thanks

11-15-2007	#1 (permalink)
Martin Rhodin n/a posts	Split tunneling with cmak Hi I have made a cmak vpn connection, wich have added some routes and removed the default gateway so both intranet and the user's own internet gateway is available. Now this works on Windows XP but it doesnt in Vista, and i think its some security issue. I have turned of UAC and have no third party firewall. The intranet is available but the internet is not. Googled for a solution but it doenst seem like there is one and its a know issue for many people.Please advice if you have any thoughts on this. Thank you. Martin Rhodin
My System Specs

11-25-2007	#2 (permalink)
Ashish Pingle n/a posts	RE: Split tunneling with cmak Hi, I have got a workaround for this issue. While installing the dialer make sure that it is installed using "My use only" option which is default. Next, I haven't tried this with UAC disabled, it works for sure when UAC is enabled. Try it let me know the status. Thanks Ashish Pingle "Martin Rhodin" wrote: Quote: > Hi > > I have made a cmak vpn connection, wich have added some routes and removed > the default gateway so both intranet and the user's own internet gateway is > available. Now this works on Windows XP but it doesnt in Vista, and i think > its some security issue. I have turned of UAC and have no third party > firewall. The intranet is available but the internet is not. Googled for a > solution but it doenst seem like there is one and its a know issue for many > people.Please advice if you have any thoughts on this. > > Thank you. > > Martin Rhodin > > >
My System Specs

04-03-2008	#3 (permalink)
jasonpgreen Visa Business 32bit 5 posts	Re: Split tunneling with cmak I've found a work around for this. Instead of using the CMAK Rounting Table update, ues the Classless Static Routes DHCP Option. Using the Classless Static Routes DHCP Option Windows 2000, Windows XP, and Windows Server 2003-based VPN clients send a DHCPInform message to the VPN server, requesting a set of DHCP options. This is done so that the VPN client can obtain an updated list of DNS and WINS servers and a DNS domain name that is assigned to the VPN connection. The DHCPInform message is forwarded to a DHCP server on the organization intranet by the VPN server and the response is sent back to the VPN client. Windows XP and Windows Server 2003-based VPN clients include the Classless Static Routes DHCP option in their list of requested DHCP options. If configured on the DHCP server, the Classless Static Routes DHCP option contains a set of routes representing the address space of your intranet. These routes are automatically added to the routing table of the requesting client when it receives the response to the DHCPInform message and automatically removed when the VPN connection is terminated. The Windows Server 2003 DHCP Server service supports the configuration of the Classless Static Routes option (option number 249). To use the Classless Static Routes option for split tunneling, configure this option for the scope that corresponds to the intranet subnet to which the VPN server is connected. Next, add the set of routes that correspond to the summarized address space of your organization intranet. For example, if you use the private IP address space for your organization intranet, the Classless Static Routes option would have the following three routes: 10.0.0.0 with the subnet mask of 255.0.0.0 172.16.0.0 with the subnet mask of 255.240.0.0 192.168.0.0 with the subnet mask of 255.255.0.0 The Router IP address for each route added to the Classless Static Routes option should be set to the IP address of a router interface on the intranet subnet to which the VPN server is connected. For example, if the VPN server is connected to the intranet subnet 10.89.211.0/24 and the IP address of the intranet router on this subnet is 10.89.21.1, then set the Router IP address for each route to 10.89.21.1. Note: Do not set the VPN connection to be the default gateway. You will also need Vista SP1 or this You cannot use a remote access server to apply DHCP options to a Windows Vista-based computer hotfix. hope this helps
My System Specs

05-16-2008	#4 (permalink)
timinator Vista Business 4 posts	Re: Split tunneling with cmak Hi, I'm having this problem also and would love to get it solved as more people are trying to connect to our vpn using Vista. I'm a bit confused at the above explaination. My vpn server is a Windows 2003 appliance with a custom front end. I'm not sure how to modify the DHCP scope in the way decribed. Any help would be appreciated. Thanks Tim Last edited by timinator; 05-16-2008 at 09:30 AM.. Reason: spelling
My System Specs

05-19-2008	#5 (permalink)
jasonpgreen Visa Business 32bit 5 posts	Re: Split tunneling with cmak Hi Tim, If you are using Windows 2003 standard Routing and Remote Access, then you just need to set it, in properties, to assign IP addresses via DHCP. Then add the Classless Static routes in the Windows 2003 DHCP server. Cheers Jason
My System Specs

05-19-2008	#6 (permalink)
timinator Vista Business 4 posts	Re: Split tunneling with cmak Jason, the server does supply addresses via DHCP. And also static routes. The front creates the connectoid using CMAK. Here is at look at the routes added by CMAK during the wizard. REMOVE_GATEWAY ADD 172.17.0.0 MASK 255.255.0.0 default METRIC default IF default ADD 172.18.1.10 MASK 255.255.255.255 default METRIC default IF default ADD 192.99.99.163 MASK 255.255.255.255 default METRIC default IF default but on connection from the client, Vista will not allow these commands to run. Thanks Tim
My System Specs

05-22-2008	#7 (permalink)
jasonpgreen Visa Business 32bit 5 posts	Re: Split tunneling with cmak Hi Tim, You need to recreate the CMAK. 1. Remove the part that adds the routes: REMOVE_GATEWAY ADD 172.17.0.0 MASK 255.255.0.0 default METRIC default IF default ADD 172.18.1.10 MASK 255.255.255.255 default METRIC default IF default ADD 192.99.99.163 MASK 255.255.255.255 default METRIC default IF default 2. Make sure you do not select the CMAK VPN as the default route. Then add the Classless Static Routes to you DHCP server as I descibed previously. Then the DHCP serve will provide the required static routes. Cheers Jason
My System Specs

05-22-2008	#8 (permalink)
timinator Vista Business 4 posts	Re: Split tunneling with cmak Thanks for that info. I'm still not sure where to add the classless routes? Is it the server's static routes? Thanks Last edited by timinator; 05-22-2008 at 09:01 AM.. Reason: additional text
My System Specs

05-22-2008	#9 (permalink)
jasonpgreen Visa Business 32bit 5 posts	Re: Split tunneling with cmak Take a look at the attached screen shot. Jason Attached Thumbnails
My System Specs

05-22-2008	#10 (permalink)
timinator Vista Business 4 posts	Re: Split tunneling with cmak I'm not abe to get to that module. The "Manage your Server" or "Configure your Server wizard" are not available in "Adminstrative Tools". Is there a run command to get there? Thanks
My System Specs

Similar Threads
Thread	Forum
Vista CMAK routing problem	Network & Sharing
CMAK in Vista?	Vista networking & sharing
CMAK and Vista RTM.	Vista General
VPN Split tunneling	Vista networking & sharing
PPTP Split Tunneling	Vista General