fsbsupport
asked on
Add a default route to VPN connection?
Hi,
I have a RRAS server configured on Windows Server 2003, I have users connect in via VPN and the system issues them a 192.168.1.x address. What I need to do is add a route each time the user connects to direct all 10.70.70.0 traffic through the VPN and all other traffic goes via the internet. But if I add a route to my system, then next time the VPN is re-connected the IP address may have changed, and the route will no longer work - How can I configure this?
I have a RRAS server configured on Windows Server 2003, I have users connect in via VPN and the system issues them a 192.168.1.x address. What I need to do is add a route each time the user connects to direct all 10.70.70.0 traffic through the VPN and all other traffic goes via the internet. But if I add a route to my system, then next time the VPN is re-connected the IP address may have changed, and the route will no longer work - How can I configure this?
ASKER
Thanks for your input but I ideally need to use dynamic addressing. Currently we have the need for over 300 VPN users, which will result in many connections and just not possible to assign static addresses to everyone. I'm trying to use the Connection Manager Administration Toolkit within Longhorn server to configure the exe packages for Vista and XP by adding a seperate route file comprising of the following:
add 10.70.70.1 mask 255.255.255.0 %1
The %1 apparently uses the default VPN route in place of the %1 when adding to the routing table. However when trying to run this I'm receiving an erro regarding permissions within Vista - I'm almost there, if you can think of anything that might help I'd appreciate it.
Thanks
add 10.70.70.1 mask 255.255.255.0 %1
The %1 apparently uses the default VPN route in place of the %1 when adding to the routing table. However when trying to run this I'm receiving an erro regarding permissions within Vista - I'm almost there, if you can think of anything that might help I'd appreciate it.
Thanks
I am not great with batch files but the following might work. Untested:
If Exist Result1.txt del Result1.txt
IPConfig >Result1.txt
For /F "tokens=2 delims=:" %%A IN ('Find /I "Address" Result1.txt') Do Set NewIP=%%A
Rem ---------
Rem test output (to be removed)
Echo %NewIP%
pause
Rem ----------
Rem Delete existing route if any
route delete 10.70.70.0
route add 10.70.70.0 mask 255.255.255.0 %NewIP%
Del Result1.txt
Set NewIP=Nul
If Exist Result1.txt del Result1.txt
IPConfig >Result1.txt
For /F "tokens=2 delims=:" %%A IN ('Find /I "Address" Result1.txt') Do Set NewIP=%%A
Rem ---------
Rem test output (to be removed)
Echo %NewIP%
pause
Rem ----------
Rem Delete existing route if any
route delete 10.70.70.0
route add 10.70.70.0 mask 255.255.255.0 %NewIP%
Del Result1.txt
Set NewIP=Nul
Actually just tested. I forgot IPConfig is going to return more than 1 "address"
On the system I just tested I had to change the 3rd line to:
For /F "tokens=2 delims=:2" %%A IN ....................
^
because the PPP adapter was second.
This should work fine if inly one network adapter, but if they have a 2nd NIC or wireless card you will have to add a way to filter out the PPP address.
Might want to add to the start :
Echo off
Cls
to clean up the output
By the way with Vista if you are having problems there look into running in virtual mode. No idea what I am talking about, but somebody in a seminar touched on it one time. Didn't pay much attention at the time, but had to do with permissions and command line and/or 16 bit compatibility. However shouldn't be affected when used as a script, such as in login scripts.
On the system I just tested I had to change the 3rd line to:
For /F "tokens=2 delims=:2" %%A IN ....................
^
because the PPP adapter was second.
This should work fine if inly one network adapter, but if they have a 2nd NIC or wireless card you will have to add a way to filter out the PPP address.
Might want to add to the start :
Echo off
Cls
to clean up the output
By the way with Vista if you are having problems there look into running in virtual mode. No idea what I am talking about, but somebody in a seminar touched on it one time. Didn't pay much attention at the time, but had to do with permissions and command line and/or 16 bit compatibility. However shouldn't be affected when used as a script, such as in login scripts.
Actually, I wasn't thinking, the following works by changing "address" to "192.168.1"
However, you will have problems if a second adapter uses the same subnet. this won't mater though, as mentioned above, your VPN will not work if that is the case anyway.
Echo off
Cls
If Exist Result1.txt del Result1.txt
IPConfig >Result1.txt
For /F "tokens=2 delims=:" %%A IN ('Find /I "192.168.1" Result1.txt') Do Set NewIP=%%A
Rem ---------
Rem test output (to be removed)
Echo %NewIP%
pause
Rem ----------
Rem Delete existing route if any
route delete 10.70.70.0
route add 10.70.70.0 mask 255.255.255.0 %NewIP%
Del Result1.txt
Set NewIP=Nul
However, you will have problems if a second adapter uses the same subnet. this won't mater though, as mentioned above, your VPN will not work if that is the case anyway.
Echo off
Cls
If Exist Result1.txt del Result1.txt
IPConfig >Result1.txt
For /F "tokens=2 delims=:" %%A IN ('Find /I "192.168.1" Result1.txt') Do Set NewIP=%%A
Rem ---------
Rem test output (to be removed)
Echo %NewIP%
pause
Rem ----------
Rem Delete existing route if any
route delete 10.70.70.0
route add 10.70.70.0 mask 255.255.255.0 %NewIP%
Del Result1.txt
Set NewIP=Nul
ASKER
Hi RobWill,
Thanks for this, I'm attempting to run this on a Windows Vista machine as a seperate batch file once the VPN is connected and I'm receiving the following error:
fe80
Press any key to continue
OK!
The route addition failed: The parameter is incorrect.
What os did you test this on? Do you have any ideas?
Thanks
Thanks for this, I'm attempting to run this on a Windows Vista machine as a seperate batch file once the VPN is connected and I'm receiving the following error:
fe80
Press any key to continue
OK!
The route addition failed: The parameter is incorrect.
What os did you test this on? Do you have any ideas?
Thanks
ASKER
RobWill,
I've amended your script slightly and it works brilliantly, but not in vista which is what I'm creating it for. In Vista it displays FE80 (IPV6) as the IP address being output, although I've specifically entered the correct one, the new script which is working is:
Echo off
Cls
If Exist vpn.txt del vpn.txt
IPConfig >vpn.txt
For /F "tokens=2 delims=:" %%A IN ('Find /I "192.168.1" vpn.txt') Do Set NewIP=%%A
Echo %NewIP%
route add 10.70.70.0 mask 255.255.255.0 %NewIP%
Del vpn.txt
Set NewIP=Nul
Do you have any ideas?
Thanks
I've amended your script slightly and it works brilliantly, but not in vista which is what I'm creating it for. In Vista it displays FE80 (IPV6) as the IP address being output, although I've specifically entered the correct one, the new script which is working is:
Echo off
Cls
If Exist vpn.txt del vpn.txt
IPConfig >vpn.txt
For /F "tokens=2 delims=:" %%A IN ('Find /I "192.168.1" vpn.txt') Do Set NewIP=%%A
Echo %NewIP%
route add 10.70.70.0 mask 255.255.255.0 %NewIP%
Del vpn.txt
Set NewIP=Nul
Do you have any ideas?
Thanks
It was on XP, and seemed find the correct IP, and correctly add the route, as verified by Route Print.
By the way, it will only work if the VPN is connected.
However based on the return; "fe80" I would say that is because IPv6 is enabled on the machine. It is by default with Vista. It's trying to add the wrong route.
Will have to adjust the script. I don't have a Vista machine here. I am on the way out for a few hours, but I can grab my laptop and test/modify with Vista later.
The other option would be to remove IPV6, by either disabling under TCP/IP properties or at a command line enter:
netsh interface [then press ENTER ]
ipv6 uninstall [then press ENTER ]
However this is "dealing with the symptoms and not the problem". Might be best long term to fix the script.
By the way, it will only work if the VPN is connected.
However based on the return; "fe80" I would say that is because IPv6 is enabled on the machine. It is by default with Vista. It's trying to add the wrong route.
Will have to adjust the script. I don't have a Vista machine here. I am on the way out for a few hours, but I can grab my laptop and test/modify with Vista later.
The other option would be to remove IPV6, by either disabling under TCP/IP properties or at a command line enter:
netsh interface [then press ENTER ]
ipv6 uninstall [then press ENTER ]
However this is "dealing with the symptoms and not the problem". Might be best long term to fix the script.
Sorry I was typing and missed your last post.
As soon as I get a hold of a Vista box I'll see if I can tweak.
--Rob
As soon as I get a hold of a Vista box I'll see if I can tweak.
--Rob
I am still "on the fly", but had a chance to play with Vista for awhile. The following worked fine, but I should look at whether it would work in all situations. The problem is the ver4 address is part of a ver6 address later in the ipconfig output. As I say this works,but could likely be written much better and simpler by a DOS expert.
Echo off
Cls
If Exist Result1.txt del Result1.txt
If Exist Result2.txt del Result2.txt
IPConfig >Result1.txt
For /F "tokens=4 delims=:" %%A IN ('Find /I "192.168.1" Result1.txt') Do Echo %%A >Result2.txt
For /F "tokens=1 delims=%%" %%B IN (Result2.txt) Do Set NewIP=%%B
Rem ---------
Rem test output (to be removed)
Echo %NewIP%
pause
Rem ----------
Rem Delete existing route if any
rem route delete 10.70.70.0
rem route add 10.70.70.0 mask 255.255.255.0 %NewIP%
Del Result1.txt
Del Result2.txt
Set NewIP=Nul
Echo off
Cls
If Exist Result1.txt del Result1.txt
If Exist Result2.txt del Result2.txt
IPConfig >Result1.txt
For /F "tokens=4 delims=:" %%A IN ('Find /I "192.168.1" Result1.txt') Do Echo %%A >Result2.txt
For /F "tokens=1 delims=%%" %%B IN (Result2.txt) Do Set NewIP=%%B
Rem ---------
Rem test output (to be removed)
Echo %NewIP%
pause
Rem ----------
Rem Delete existing route if any
rem route delete 10.70.70.0
rem route add 10.70.70.0 mask 255.255.255.0 %NewIP%
Del Result1.txt
Del Result2.txt
Set NewIP=Nul
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks RobWill - your last post is exactly what I needed, thanks for your time and patience, points well earned.
Always fun. Thanks fsbsupport.
Cheers !
--Rob
Cheers !
--Rob
I had similar problems, but little trickier. There were ras users who did not want to use remote default gateway, but still wanted to retain access to remote subnetworks. Problem was, that IF number was required every time "route add" was used, AND it was different every time a vpn connection was made.
Solution was scripted by me, using an example above. By the way, you don't have to use intermediate txt files to push data between command, data piping is available in default windows cmd.
Here is the code example^
Solution was scripted by me, using an example above. By the way, you don't have to use intermediate txt files to push data between command, data piping is available in default windows cmd.
Here is the code example^
For /F "tokens=1" %%A IN ('"route print | find /I "000""') Do Set IFNUM=%%A
route delete 10.250.0.2
route add 10.250.0.2 10.252.240.1 IF %IFNUM%
A user connects to our office LAN from Hong Kong, through our SonicWall SSL-VPN 200 device.
Our office LAN is 192.168.5.0.
The router at his residence in Hong Kong is 192.168.0.2.
When he connects to our VPN, his computer gets assigned an IP address within the range 192.168.5.150 - 192.168.5.170.
When he connects to VPN, a route print on his computer usually shows the gateway for our office network (192.168.5.0) to be 192.168.0.2.
I told him to run the attached (slightly modified) version of RobWill's script above on his (Windows Vista) computer. On his first attempt to run the BAT file, he got an error message, saying "operation not allowed." He then ran the BAT file as "Administrator." There was no error message, but the gateway for 192.168.5.0 network changed to "on-link."
Why is the gateway not changing properly? How can I change it successfully?
Our office LAN is 192.168.5.0.
The router at his residence in Hong Kong is 192.168.0.2.
When he connects to our VPN, his computer gets assigned an IP address within the range 192.168.5.150 - 192.168.5.170.
When he connects to VPN, a route print on his computer usually shows the gateway for our office network (192.168.5.0) to be 192.168.0.2.
I told him to run the attached (slightly modified) version of RobWill's script above on his (Windows Vista) computer. On his first attempt to run the BAT file, he got an error message, saying "operation not allowed." He then ran the BAT file as "Administrator." There was no error message, but the gateway for 192.168.5.0 network changed to "on-link."
Why is the gateway not changing properly? How can I change it successfully?
Echo off
Cls
If Exist Result1.txt del Result1.txt
If Exist Result2.txt del Result2.txt
IPConfig >Result1.txt
Find /I "IPv4 Address. . . . . . . . . . . : 192.168.5." Result1.txt >Result2.txt
For /F "tokens=2 delims=:" %%A IN (Result2.txt) Do Set NewIP=%%A
Rem Delete existing route if any
route delete 192.168.5.0
route add 192.168.5.0 mask 255.255.255.0 %NewIP%
Del Result1.txt
Del Result2.txt
Echo %NewIP%
pause
Set NewIP=Nul
Would be good if you check the code you paste it
@Echo off
set IFNUM=
For /F "tokens=2 delims=:" %%A IN ('"IPConfig | find /I "IPv4 Address. . . . . . . . . . . : 192.168.2.""') Do Set IFNUM=%%A
route delete 192.168.10.0
route add 192.168.10.0 mask 255.255.255.0 %IFNUM%
If by any chance this is grayed out, likely your server is in Windows 2000 mixed domain mode. To verify, open active directory, right click on the server name and choose, raise domain functional level. DO NOT click raise !!!! Just check what it says as "current domain functional level", and choose cancel. If this is the problem then you need to raise the level. Easy to do, but do not make this change without carefully examining the repercussions. The primary one being NT servers can no longer be part of the domain.
http://support.microsoft.com/kb/303684
Once the user has a static IP you can add a static route in RRAS, in a users batch file, or if logon scripts work with your configuration, you can do so there as well, such as:
route add 10.70.70.0 mask 255.255.255.0 192.168.1.x
I have never used it, but there is also an option to add a static route on the Dial-in page of the user's profile.
Just a "heads up" the local and remote site subnets must be different with VPN's. 192.168.1.0/24 is extremely common. You might want to avoid common subnets so that their will not be conflicts with various sites.