Split tunneling with cmak

Hi

I have made a cmak vpn connection, wich have added some routes and removed
the default gateway so both intranet and the user's own internet gateway is
available. Now this works on Windows XP but it doesnt in Vista, and i think
its some security issue. I have turned of UAC and have no third party
firewall. The intranet is available but the internet is not. Googled for a
solution but it doenst seem like there is one and its a know issue for many
people.Please advice if you have any thoughts on this.

Thank you.

Martin Rhodin

Hi,

I have got a workaround for this issue. While installing the dialer make
sure that it is installed using "My use only" option which is default. Next,
I haven't tried this with UAC disabled, it works for sure when UAC is
enabled. Try it let me know the status.

Thanks

Ashish Pingle

"Martin Rhodin" wrote:

I've found a work around for this. Instead of using the CMAK Rounting Table update, ues the Classless Static Routes DHCP Option.

Using the Classless Static Routes DHCP Option

Windows 2000, Windows XP, and Windows Server 2003-based VPN clients send a DHCPInform message to the VPN server, requesting a set of DHCP options. This is done so that the VPN client can obtain an updated list of DNS and WINS servers and a DNS domain name that is assigned to the VPN connection. The DHCPInform message is forwarded to a DHCP server on the organization intranet by the VPN server and the response is sent back to the VPN client.
Windows XP and Windows Server 2003-based VPN clients include the Classless Static Routes DHCP option in their list of requested DHCP options. If configured on the DHCP server, the Classless Static Routes DHCP option contains a set of routes representing the address space of your intranet. These routes are automatically added to the routing table of the requesting client when it receives the response to the DHCPInform message and automatically removed when the VPN connection is terminated.
The Windows Server 2003 DHCP Server service supports the configuration of the Classless Static Routes option (option number 249).

To use the Classless Static Routes option for split tunneling, configure this option for the scope that corresponds to the intranet subnet to which the VPN server is connected. Next, add the set of routes that correspond to the summarized address space of your organization intranet. For example, if you use the private IP address space for your organization intranet, the Classless Static Routes option would have the following three routes:

• 10.0.0.0 with the subnet mask of 255.0.0.0
• 172.16.0.0 with the subnet mask of 255.240.0.0
• 192.168.0.0 with the subnet mask of 255.255.0.0

The Router IP address for each route added to the Classless Static Routes option should be set to the IP address of a router interface on the intranet subnet to which the VPN server is connected. For example, if the VPN server is connected to the intranet subnet 10.89.211.0/24 and the IP address of the intranet router on this subnet is 10.89.21.1, then set the Router IP address for each route to 10.89.21.1.

Note:

Do not set the VPN connection to be the default gateway.

You will also need Vista SP1 or this You cannot use a remote access server to apply DHCP options to a Windows Vista-based computer hotfix.

hope this helps

Hi, I'm having this problem also and would love to get it solved as more people are trying to connect to our vpn using Vista. I'm a bit confused at the above explaination. My vpn server is a Windows 2003 appliance with a custom front end. I'm not sure how to modify the DHCP scope in the way decribed. Any help would be appreciated.

Thanks
Tim

Hi Tim,

If you are using Windows 2003 standard Routing and Remote Access, then you just need to set it, in properties, to assign IP addresses via DHCP. Then add the Classless Static routes in the Windows 2003 DHCP server.

Cheers

Jason

Jason, the server does supply addresses via DHCP. And also static routes. The front creates the connectoid using CMAK. Here is at look at the routes added by CMAK during the wizard.

REMOVE_GATEWAY
ADD 172.17.0.0 MASK 255.255.0.0 default METRIC default IF default
ADD 172.18.1.10 MASK 255.255.255.255 default METRIC default IF default
ADD 192.99.99.163 MASK 255.255.255.255 default METRIC default IF default

but on connection from the client, Vista will not allow these commands to run.

Thanks
Tim

Hi Tim,

You need to recreate the CMAK.

1. Remove the part that adds the routes:
REMOVE_GATEWAY
ADD 172.17.0.0 MASK 255.255.0.0 default METRIC default IF default
ADD 172.18.1.10 MASK 255.255.255.255 default METRIC default IF default
ADD 192.99.99.163 MASK 255.255.255.255 default METRIC default IF default

2. Make sure you do not select the CMAK VPN as the default route.

Then add the Classless Static Routes to you DHCP server as I descibed previously. Then the DHCP serve will provide the required static routes.

Cheers

Jason

Thanks for that info. I'm still not sure where to add the classless routes? Is it the server's static routes?


Thanks

Take a look at the attached screen shot.

Jason

I'm not abe to get to that module. The "Manage your Server" or "Configure your Server wizard" are not available in "Adminstrative Tools". Is there a run command to get there?

Thanks