VPN client configuration on W2K Question

[Norssak]

I set up my Laptop users (2000 Professional) so that they initiate a dialup connection to Mindspring, then they click a VPN connection to the office.

The problem I am having is that once the VPN connection is established all subsequent internet traffic goes through the VPN connection. This is very inefficient.

Does anyone have any ideas on what to tweak so that only requests for the Office LAN pass through the VPN tunnel, and all internet bound traffic goes through the ISP's gateway?

Currently the VPN clients get a regular DCHP packet (with the LAN gateway & DNS) when they VPN in.

Thanks in advance

 

[cz]

Open your VPN property, click on the TCP/IP protocol and open TCP/IP property, click on the "Advanced..." button and you are in "Advanced TCP/IP settings" dialog, then unckeck "Use default gateway on remote network" under "General" tab.

 

[Shadow07]

Unfortunately, what CZ posted is wrong. If you uncheck the option "Use default gateway on remote network", your VPN client has a chance of loosing the connection. Also, you cannot direct any other type of traffic through your dialup. If your VPN client had two network connections, ie 2 modems or 2 NIC's, then you would be able to configure the client to access the LAN through the VPN connection and access the Internet through the other connection. You cannot achieve this with just one connection. By the very nature of how the VPN clients work, all traffic will be forwarded through the VPN tunnel. There is no way around this, unless you install more than one RAS device.

 

[spidey07]

The MS client cannot do split tunneling? Most VPN clients support this feature but I don't know about the 2000 one.

If the MS client doesn't have this feature then they need to fix it.

I'll do some searching and get back to ya! What kind of VPN device is on the other end?

spidey

 

[Shadow07]

Spidey, it's by the very nature of how a VPN client works. When you estabolish an Internet connection, you get the IP address, DNS settings, etc. Then the client initiates the VPN connection by tunneling through the ISP connection. Once the tunnel has been authenticated, if the VPN protocol supports it like L2TP and not PPTP, then ALL traffic will be tunneled through the VPN tunnel.

If you know diferently, please let me know, as I really hate to give bad advice and be completely wrong. But from what I have read and what has been explained to me, the above statement should be correct.

EDIT: I just had a brain fart. You could be able to split the two connections IF and only IF your VPN connectio to the LAN used a different protocol other than TCP/IP.

 

[cz]

Hey, Shadow, before you say somebody is wrong please check your fact first. What I posted is my working setup here not something out of my imagination. I have never lost any connection due to this VPN configuration.

I have used this setup with dialup modem, cable modem, and now through local LAN on Win2K.

 

[Shadow07]

cz, sorry about the attack. I really did not mean that you were 100% wrong. In this case, I am wrong to claim that Windows 2000 does not support split tunneling. I read somewhere a while ago that someone said that you could not split traffic after you hace created a VPN connection. I know that you can split the tunnel with most hardware VPN solutions, but not with the software clients. I know that Windows 95 and 98 have some issues when you try to split the traffic.

To say that you were wrong was bad judgement on my part. I do not like to come out and fully disclose someone is completely wrong. I understand that in certain situations, what some people say work for them and in other cases it does not.

So, forgive my ignorance, as I go stick my nose in the corner for a while.

 

[cz]

Actually it is not a split tunnelling thing, Shadow. It is a simply routing table fix. On a Win2k machine you can check the routing table difference by using command "Route print" under different settings.

You know that TCP/IP traffic goes out according to the routing table. In this specific case the default setting passes all TCP/IP traffic to the VPN server. While the option is unchecked, only those TCP/IP traffic directed to the VPN connection is sent through the tunnel. Other traffic is directed to ISP server directly outside of the tunnel. This feature works in Win98SE also. I have been using this on both Win98SE and Win2K for at least a year now. The disconnection problem is related to tunnelling performance not routing.

Hope this can clearify the thing a little bit.

 

[Shadow07]

Yes, I understand that Windows would make the routing table entry for any data destined for the LAN to go through the VPN connection, but what I have read and always thought was that the VPN Wrapper would take over all traffic. Thus, any traffic, bound for the Internet or the LAN would pass through the VPN tunnel and then out the LAN Internet Gateway.

After further review, I found that I was wrong. Unfortunately, I haven't setup a Windows 2000 VPN client, but in the past with Windows 95 and 98, I always had problems.

 

[Dark]

Ha I'm too late
I have read somewhere on Ms knowledge base how to fix that using the route command. Basically traffic toward the remote lan would use the vpn and traffic to the internet would use the normal isp gateway. On the vpn i'm using, there is that little icon that is green when the vpn tunnel is used and red when the isp is used.