Users unable to accept a particular subnet when connected to the VPN

Lab_Tech
Lab_Tech used Ask the Experts™
on
I have a Microsoft 2003sp2 Standard RRAS server. My network is designed such that I have a subnet 192.168.2.0/24 where my DNS server is. My home users in some cases have their LAN with 192.168.2.0/24. Once these users who have their home LAN on the 192.168.2.0/24 subnet connect to the VPN they can go anywhere EXCEPT to 192.168.2.0/24 subnet. As for all the other users whose home network has a number other than 192.168.2.0/24, they have no problems connecting.
In a few cases, I've changed the user's home network from 192.168.2.0 /24to 192.168.0.0/24. Once the change has been made they have no problem seeing my 192.168.2.0/24 subnet.
All opinions appreciated.
Thanks
Nik
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
In cases where, the home user's subnet matches that of your company subnet, this will always happen because the home user's network interface thinks or knows rather via  the routing table that the 192.168.2.0 subnet is directly attached to the home user's NIC so it will always attempt to communicate  to that subnet over the home user's NIC rather than using the virtual vpn interface created when connecting to the VPN.

Your RRAS box does not know how to route the traffic, as it has the same subnet on both interfaces.

The typical solution to this is to allocate all internal addresses via dhcp, and either have the rras server allocate addresses  from a static pool.

Author

Commented:
The RRAS is already issuing addresses via DHCP which the clients get without any issues. As mentioned before they can get to anywhere EXCEPT to the 2.0 subnet.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

as I said


The typical solution to this is to allocate all INTERNAL addresses via dhcp, and

 have the rras server allocate addresses  from a static pool. - (from a different subnet)

Author

Commented:
Ignatius A:
I will test your solution and report to you tomorrow.
Thanks
Nik

Author

Commented:
Ignatius:
Sorry I had missed your "from a different subnet"
The clients are already getting an address from a different subnet. The clients are getting address from the 192.168.18.0/24 subnet. they can ping the 18.0, 17.0 and all other subnets except 2.0
Is the laptop VPNing in from a different NIC?

for example, is the laptop usually wifi but wired at home or vice versa? If so, you could disable the inactive interface

The issue is (usually)  that the laptop thinks it has 2 interfaces.

Nic 1 192.168.18.X (the VPN interface)
Nic 2 192.168.2.0 ( the local network interface)

When the remote system is on 192.168.2, the laptop tries to send through the local interface rather than through the VPN.

Another possibility: Is it possible that the user's home network is on 192.168.2? (i've had home lans which were set up by default to 192.168.0, 192.168.1, and 192.168.123 in the past) - would modifying this help (I can see you probably wouldn't want to change the business network.

You could also check out

http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html 

it's isa focussed, but the majority of the stuff in there is still valid (esp the vpn config)

Author

Commented:
Yep! the user's home network is 192.168.2.0/24 once this is changed to let's say 192.168.1.0/24 or 192.168.2.0/24 basically anything besides 192.168.2.0/24 they can work ok without any hinderances.
I did disable the Wired and enable the wireless and then disable the wireless and enabled the wired and the problem still persisted.
Thanks for the link I will look through it and report later at the same time I will try to simulate the environment to see what I can tweak. If I may mention this problem only started occuring when we implemented the RRAS, we have a nortel VPN solution which had no problem like this.
Thanks

Commented:
If you disable split tunneling on the VPN client, it should force all traffic through the VPN interface.  If that doesn't work, your only other option is changing either the home user's subnet  or that one corporate subnet, to something else.

Author

Commented:
My conclusion is this is a WindowsXP issue. I'm testing and the Windows 7 computers connect and can get to their resources on the 192.168.2.0/24 subnet without any issues. However, in the same environment WindowsXP cannot. Split tunnelling does not solve this problem either.

Commented:
It might be a WinXP issue in the way Windows XP handles its routes differently from Windows 7 but ultimately it's a routing issue, which should be addressable regardless of the OS.  The problem you are having isn't unusual, it's a fact for a lot of vpn users.   I don't know if WIndows 7 added some new way to address this but if it works by default then maybe.  What VPN client are you using?  Can you post the results of a route print from one of your problem home users while having an active connection to the VPN?

Author

Commented:
The VPN client I'm using is the built in Windows PPTP client. Also I agree it's a routing issue. It's a routing issue probably in the way WinXP handles the VPN by default. If I explicitly add the route (route add 192.168.2.0 mask 255.255.255.0 IPAddressFromLocalVPNInterface) they can then connect. However, it would serve me no good having the users add a route for this whenever they connect and yes I know I can let them add a persistent route, but that is not what I want. This should be - as you said - addressable regardless.
------------- Before I manually add the route to 192.168.2.0 -----------
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 08 02 ea 8b c4 ...... Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler Miniport
0x3 ...00 14 bf 03 8e 40 ...... Linksys Wireless-G Notebook Adapter WPC54GS Ver.1 - Packet Scheduler Miniport
0x4 ...44 45 53 54 42 00 ...... Nortel IPSECSHM Adapter - Packet Scheduler Miniport
0x20006 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.100        26
          0.0.0.0          0.0.0.0   192.168.18.169  192.168.18.169        1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.2.0    255.255.255.0    192.168.2.100   192.168.2.100        25
    192.168.2.100  255.255.255.255        127.0.0.1       127.0.0.1        25
    192.168.2.255  255.255.255.255    192.168.2.100   192.168.2.100        25
     192.168.18.0    255.255.255.0   192.168.18.169  192.168.18.169        1
   192.168.18.169  255.255.255.255        127.0.0.1       127.0.0.1        50
   192.168.18.255  255.255.255.255   192.168.18.169  192.168.18.169        50
   209.202.94.235  255.255.255.255      192.168.2.1   192.168.2.100        25
        224.0.0.0        240.0.0.0    192.168.2.100   192.168.2.100        25
        224.0.0.0        240.0.0.0   192.168.18.169  192.168.18.169        1
  255.255.255.255  255.255.255.255    192.168.2.100   192.168.2.100        1
  255.255.255.255  255.255.255.255   192.168.18.169               2        1
  255.255.255.255  255.255.255.255   192.168.18.169  192.168.18.169        1
  255.255.255.255  255.255.255.255   192.168.18.169               4        1
Default Gateway:    192.168.18.169
===========================================================================
Persistent Routes:
  None
------------------ END ----------------------------------------

------------- AFTER I MANUALLY ADD THE ROUTE TO 192.168.2.0 ------------
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 08 02 ea 8b c4 ...... Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler Miniport
0x3 ...00 14 bf 03 8e 40 ...... Linksys Wireless-G Notebook Adapter WPC54GS Ver.1 - Packet Scheduler Miniport
0x4 ...44 45 53 54 42 00 ...... Nortel IPSECSHM Adapter - Packet Scheduler Miniport
0x20006 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.100        26
          0.0.0.0          0.0.0.0   192.168.18.169  192.168.18.169        1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.2.0    255.255.255.0    192.168.2.100   192.168.2.100        25
      192.168.2.0    255.255.255.0   192.168.18.169  192.168.18.169        1
    192.168.2.100  255.255.255.255        127.0.0.1       127.0.0.1        25
    192.168.2.255  255.255.255.255    192.168.2.100   192.168.2.100        25
     192.168.18.0    255.255.255.0   192.168.18.169  192.168.18.169        1
   192.168.18.169  255.255.255.255        127.0.0.1       127.0.0.1        50
   192.168.18.255  255.255.255.255   192.168.18.169  192.168.18.169        50
   209.202.94.235  255.255.255.255      192.168.2.1   192.168.2.100        25
        224.0.0.0        240.0.0.0    192.168.2.100   192.168.2.100        25
        224.0.0.0        240.0.0.0   192.168.18.169  192.168.18.169        1
  255.255.255.255  255.255.255.255    192.168.2.100   192.168.2.100        1
  255.255.255.255  255.255.255.255   192.168.18.169               2        1
  255.255.255.255  255.255.255.255   192.168.18.169  192.168.18.169        1
  255.255.255.255  255.255.255.255   192.168.18.169               4        1
Default Gateway:    192.168.18.169
===========================================================================
Persistent Routes:
  None
--------------- END -----------------------------------------
Any thoughts?!

Commented:
I think you have pretty much covered the gambit of options you can do in WinXP.  You can:

1. Add a static route on the home user's pc with a lower metric as above
2. Configure the vpn client to disable split tunneling
3. Change the subnet number at either the home or office location

The only way to do it automatically is to have your VPN client push the static route you added in the above example to the home user, so that you don't have to do it manually everytime.  

Author

Commented:
Any ideas on where in the registry I may be able to find the PPTP entires? Hopefully through this I can probably add a metric for the VPN Connection. On the Win 7 VPN connection you can set the metric however in WinXP you cannot directly. It's at least worth a try.
Commented:
This is to help your clients, if or when anyone else encounter this problem in the future.
This solution is specific to Windows Server 2003 and Windows XP. It may work with prior versions but I'm not going to vouch for that.
Assuming your VPN clients are getting an IP Address being relayed through the RRAS server
1. Open your DHCP Server Console
2. Select the Scope which your clients obtain their address from
3. Right Click and select Configure Options
4. Select 249 Classless Static Routes
5. Click add routes and add your desdtination subnet - in my case that was 192.168.2.0/24
6. Select the Router - which in this case should be the gateway of the RRAS Server ip configuration
7. Click OK, then OK again.

When the clients connect they should no longer have any issues.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial