<

Go Premium for a chance to win a PS4. Enter to Win

x

Using remote client connections (VPN, ISDN, PPTP aso.) for routing in Windows

Published on
10,289 Points
5,689 Views
1 Endorsement
Last Modified:
Preface
Having the need
* to contact many different companies with different infrastructures
* do remote maintenance in their network
required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are not designed to be accessed from a network, you have to use a NAT capable solution.
In this article I will show how to manage all parts of the necessary configuration tasks.

Prerequisites
This solution requires that the VPN client or dial-out software creates either a pseudo-dynamic dial-out interface, as with PPTP, L2TP and ISDN, or a static network interface (e.g. Cisco VPN Client). Additionally, the LAN has to stay functional while connected - this might be an obstacle, as some VPN clients cut off network access as long as the connection is open (no-split-tunneling policy).

The client or connection can only be routed starting from XP onwards, as we need a NAT capable Remote and RAS (RRAS) service. Client OS like XP and Vista do not support a GUI for RRAS administration, only server OS do (Windows 2003, 2008) - so you have to manage them with netsh.

The solution was implemented on XP for OpenVPN Clients, and on W2003 for ISDN, PPTP, L2TP, and VPN clients from Cisco and Phion. The configuration methods for XP can be used the same way with W2003.
Since the lack of RRAS GUI on XP and Vista the configuration of a dial-out connection on that OS (using netsh) can be painful, I do not recommend that.


Configuration
The following batch script is needed to allow for routing on client XP. You will have to do this only once for the routing computer. On server OS, you can enable routing in the RRAS properties using the GUI instead (the script below works, too).
 
@echo off
(
  echo Windows Registry Editor Version 5.00
  echo.
  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
  echo "IPEnableRouter"=dword:00000001
) > %temp%\iproute.reg
 
start "" %temp%\iproute.reg
del %temp%\iproute.reg >nul
 
netsh routing ip nat install
 
net stop RemoteAccess >nul 2>nul
net start RemoteAccess

Open in new window


Next step is to implement the interface. For dial-out connections this is the connection name.
If you do not know about the exact names to use for interfaces, have a look at the output of
 
netsh interface show interface

Open in new window

to list all available interfaces. Some interfaces like Cisco VPN are not visible until you have a connection, so you might have to start that connection first.
Let's presume it is a Cisco VPN Client already installed; set the network information on the beginning accordingly.
 
@echo off
set routenet=172.16.1.0
set routemask=255.255.255.0
(
  echo nat add interface name="Cisco VPN" mode=full
  echo nat add interface name="LAN"       mode=private
  echo nat add interface name="internal"  mode=private
  echo add persistentroute dest=%routenet% mask=%routemask% name="Cisco VPN" proto=static pref=0 metric=1 view=both
) | netsh -c "routing ip"

Open in new window


Connecting
Having done this, you only need to start the connection. Since that is different for each connection type, I'll show it for the more challenging Cisco VPN, running on computer RRAS (which allows for local login rras and password rras; Cisco VPN credentials are %login% and %pwd%, and the Cisco VPN Connectionname is %ConnectionName%):
 
psexec \\RRAS -accepteula -u RRAS\rras -p rras ^
 -e "C:\Programme\Cisco Systems\VPN Client\vpngui.exe" -c -user %login% -pwd %pwd% %ConnectionName%

Open in new window

psexec is a tool of the famous free Sysinternals PsTools suite at www.sysinternals.com (now belonging to Microsoft).

We use similar technique to start OpenVPN and other clients. For dial-out connections, you will just have to set the interface state to connected. Since netsh has a lot of problems when running over network, we start it remotely on the routing computer, again with psexec:
 
psexec \\RRAS -accepteula -u RRAS\rras -p rras ^
 -e netsh interface set interface %ConnectionName% enabled connected

Open in new window


Of course there are some possible refinements, like switching Cisco VPN into batch mode, error control, redirecting logs and error output ...
1
Comment
Author:Qlemo
1 Comment
 
LVL 71

Author Comment

by:Qlemo
I (still) recommend to use W2003 (R2). Sadly, W2008 and above changed the way the interfaces are presented to RRAS, and I could not manage to make any of the interfaces created by 3rd-party VPN clients visible to the routing/NAT engine.

Juniper's JunOS Pulse can be added to the VPNs testified to work with RRAS.

Not working are:
Cisco AnyConnect Secure Mobility Client  (the SSL VPN replacing the IPSec one, which is EOL now)
Juniper Network Connect (SSL VPN)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Join & Write a Comment

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month