[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Setting Static Routes on Windows VPN Client

Posted on 2007-08-02
17
Medium Priority
?
8,684 Views
Last Modified: 2012-02-08
I have a Windows 2003 AD Network split into two subnets - 192.168.0.x and 192.168.1.x.

On the 192.168.1.x network we have a Draytek Vigor 3300V acting as a VPN Router at 192.168.1.1.

VPN users access the VPN using the standard Windows VPN Client. DHCP gives out IP addresses in the range of 192.168.1.225-250 to new VPN connections.

With the TCP/IP option "Use Default Gateway on Remote Network" turned on, browsing all remote services on both the 192.168.0.x and 192.168.1.x subnets is fine - but of course all Internet traffic is all pushed down the VPN route, rather than locally. This is not desirable.

If "Use Default Gateway on Remote Network" is turned off, the end-user can only browse services on the 192.168.1.x subnet, and can't reach the 192.168.0.x subnet.

I've been unable to find a way to use the Windows ROUTE command to add a static route to the 1.x subnet as the IP address of the VPN gateway changes each time the user logs on. It might be 192.168.1.225, next time .226 or .230 - depending on the number of users logged onto the VPN before them.

Can anyone offer any advice as to the best way to setup a Static Route so that 192.168.0.x traffic is routed down the VPN client, but Internet traffic is not?

Regards,

Richard Tubb.
0
Comment
Question by:netlinkrtubb
16 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19616429
One option is to assign the client a static IP. And then add the route. You can do so at the bottom of the "Dial-IN" page of the user's profile in Active Directory.
Should the option be grayed out it means your Domain Functional Level is set to Mixed. Do not raise the functional level without researching the possible repercussions. Having said that with 2003, you should be fine.

I assume the network from which the client is connecting does not use either 192.168.0.x or 192.168.1.x If so it will not work. All subnets involved in a VPN connection must be different, or you will have routing issues.
0
 

Author Comment

by:netlinkrtubb
ID: 19616555
Hi RobWill,

Thanks for the advice.

We've already addressed the issue of the VPN clients LAN range being different to the Remote range. We try to set home workers in 192.168.100.x for instance. Therefore that's not generally an issue.

Assigning a Client a Static IP address is one option - but as we've got dozens of VPN clients, but only half a dozen or so who are connected at any one time, wouldn't we run out of IP addresses fairly soon?

I'd still like to see whether it's possible to run, say, a batch file that sets the correct Routing as the VPN client connects, then a log-off script that removes that routing when it disconnects.

Regards,

Richard Tubb.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19616670
No question you could write a batch file. Not my specialty, but it could run IPConfig extract the PPP address and then insert that in a route command. You could ask in the DOS forum for someone to write it for you.

The other option is you should be able to add the route with-in RRAS under static routes, but I don't have a 2 NIC server here to try the actual configuration.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:netlinkrtubb
ID: 19660607
Hi Rob,

Thanks for the advice.

I'm going to speak to Microsoft to see if they offer any options, but failing that I'll ask in the DOS forum about a batch script.

Will post an update shortly!

Regards,

Richard Tubb.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19661859
Let us know how you make out.
Cheers !
0
 

Author Comment

by:netlinkrtubb
ID: 19712258
Hi,

Well I've now figured the correct way to setup the Static Route.

For example, when connecting with the VPN client - getting issued with a 192.168.1.x IP address, in this example 192.168.1.224 - IP settings of  "Use Default Gateway on Remote Network" turned off - as expected you can

ping 192.168.1.x - successfully
ping 192.168.0.x - failure

Manually issuing the command:-

route add 192.168.0.0 mask 255.255.0.0 192.168.1.224 metric 1

means that you can

ping 192.168.1.x - successfully
ping 192.168.0.x - successfully

This is as expected.

The issue I've now got is that the gateway address in the above route command (in that example, 192.168.1.224) changes every time a client connects to the VPN. It may be 192.168.1.224, or it may be .225, .226, .227, etc.

So how to find a way of determining the VPN gateway IP address and automatically using that in a script to be run post-connection!?

Should I close this ticket off and post a new query in the DOS forum for the Batch Script wizards - or can this ticket be ported to that forum to it's completion anyway?

Regards,

Richard Tubb.
0
 
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 400 total points
ID: 19714257
You could write a script that will parse the gateway from ipconfig /all and add that to a route command, but there is a much easier way. In Active directory under a user's profile, on the dial-in tab near the bottom there is the option to assign a static IP for dial-up clients. This actually applies to VPN clients as well. If you look at an ipconfig when the VPN is connected you will notice the gateway is always the same as the assigned PPP/virtual IP. This way you can use a static IP in your route.

If you find the option is grayed out, it means your server is still set to a domain functional level of "mixed". In order to "fix" that you need to raise the domain functional level. Very easy to do, but it is not reversible, and once you do so you can no longer have NT4 domain controllers in your domain. If that is not an issue, you are good to go.

Also, you could run into issues with your subnet mask. That route should not really be needed. Effectively you want both:
route add 192.168.0.0 mask 255.255.255.0 192.168.1.224 metric 1
route add 192.168.1.0 mask 255.255.255.0 192.168.1.224 metric 1
but the first should be automatically created by the VPN, so the second should do it. Also the metric is not usually necessary with XP systems, so set a static IP for the VPN client ad this route should accomplish the same:
route add 192.168.1.0 mask 255.255.255.0 192.168.1.224


0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19735415
I came a cross an old script I wrote a while back that I thought might be usable here and I noticed I duplicated the information about assigning a static IP to VPN clients. We had already discussed and ruled that out earlier. Sorry i missed that on the last post.

If I should get this script to work, I'll let you know.
0
 

Author Comment

by:netlinkrtubb
ID: 19736452
Thanks Rob - I'll look forwards to you posting the details of the script.

In the meantime, I've found two web-pages that may be helpful - I'm working through them at the moment.

Automating TCP/IP Networking on Clients: Scripting Basic TCP/IP Networking on Clients
http://www.microsoft.com/technet/scriptcenter/topics/networking/02_atnc_basic.mspx 

Automating TCP/IP Networking on Clients: Scripting Other Network Protocols
http://www.microsoft.com/technet/scriptcenter/topics/networking/07_atnc_othernet.mspx 

I'll report back with my findings shortly.

Regards,

Richard Tubb.
0
 

Author Comment

by:netlinkrtubb
ID: 19941248
Apologies for the delay in updating this ticket.

I'm currently speaking to Microsoft Product Support Services about a solution.

I'd like to be able to post that solution here for future reference, if at all possible?

Regards,

Richard Tubb.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19941365
Personally, Richard I have no objections, as a matter of fact I would be very interested to hear their response.
I never did have any luck with that old script.
--Rob
0
 
LVL 15

Expert Comment

by:Jeff Perkins
ID: 20118016
netlinkrtubb,
Any update on this?   Did you get a resolution from Microsoft?

Riteheer
EE  Cleanup Volunteer
0
 

Accepted Solution

by:
despich earned 1600 total points
ID: 20420579
Ok I found a solution for this it's kinda messy to setup but it works fine once it's setup and you don't have to assign a static IP to each VPN user.

Make 2 batch files (I chose to put them in the root of each users remote machine so they run the fastest)
Ist batch file called adder.bat has one line in it for each route that you want to add. I needed to add 4 routes so mine looks like this.

route add 192.168.71.0 MASK 255.255.255.0 %2
route add 10.10.101.0 MASK 255.255.255.0 %2
route add 10.10.102.0 MASK 255.255.255.0 %2
route add 192.168.2.0 MASK 255.255.255.0 %2

Make another Batch file called fixroute.bat that has this in it:

route DELETE 192.168.71.0
route delete 192.168.2.0
route delete 10.10.101.0
route delete 10.10.102.0
route print 192.195.100.0 | find "192.195.100.0" > c:\tempIP.bat
c:\FR.exe c:\tempIP.bat "192.195.100.0" "c:\adder.bat" /O /P
c:\tempip.bat

The 4 route delete statements are to clear out any old routes in preperation for adding the correct ones. The route print statement basically just dumps the route statements that gets created from the VPN so you have the Latest assigned IP that the VPN client setup dumped to the tempip.bat file. In my case our primary network that they VPN into is 192.195.100.0 so that is what I print and then subsequently search for with the find statement.

The FR.EXE line runs a utility program that I have that searches and replaces a string of text within a given text file and replaces with another. You will have to find your own fr.exe program. It's not very expensive though and very handy.

The last line then runs the created .bat file that subsequently calls the adder.bat with the correct command line parameters to add the routes.

Basically I copy the 3 files to root of their C drive (Adder.bat, fixroute.bat and fr.exe) and then make a desktop shortcut called "Fix routing Table" that points to fixroute.bat that the users know to run right after they get the VPN connected. If they bring their laptop back into the office and connect locally they also need to run it again to clear out the (then unneeded) static routes.

Their is probably a much smoother way of doing this with a VBscript, but I use what I know.

Dan Espich
IT Administrator
Petroleum Traders
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 20427683
Thanks for the update Dan. Looks slick, though I don't quite get how the variable %2 is passed to the adder.bat, but that is likely due to know knowing the syntax of the FR.exe utility. I don't think you can make it much smother with a batch file, as you say possibly with VBS. The similar batch file I had, worked along the same lines but it was very messy cleaning up the extracted information from the route print or IPConfig /all. The FR utility seems to simplify that.

Glad you were able to resolve.
Cheers !
--Rob
0
 

Author Closing Comment

by:netlinkrtubb
ID: 31407579
Thanks for the assistance all. A combination of speaking to Microsoft Product Support, plus pointers from the Experts here helped me to sort this out. Much appreciated everyone!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 20608552
Thanks Richard !
--Rob
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question