LAN Problem

[Mathieu]

Hi
I have a little problem.

I have Windows XP Pro and I have to use a VPN connexion.
My pc is also connected to a lan. When my VPN connection
is on, i can not acces my lan and as soon as my VPN
session is closed, my lan become accessible.

Some one have an idea how to fix the problem?

Thanks

Mathieu

 

[allan grossman [mvp]]

Hi, Mathieu -

This is probably by design; you'll need to talk to the
administrators of the VPN to find out what you can do
about it.

What you're asking for is called split tunneling and most
VPN administrators don't allow it - they route all IP
traffic through the VPN to prevent a workstation from
becoming a bridge between a trusted network and an
untrusted one.

Hope this helps -

 

[Ron Lowe]

Hi
I have a little problem.

I have Windows XP Pro and I have to use a VPN connexion.
My pc is also connected to a lan. When my VPN connection
is on, i can not acces my lan and as soon as my VPN
session is closed, my lan become accessible.

Some one have an idea how to fix the problem?

Thanks

Mathieu

The VPN connection is altering the routing table.

Since it's taking out the LAN itself, not just external Internet traffic,
( which is just a default gateway problem ),
I suspest this is a manifestation of an issue I've come across before.

Can you go to the command prompt and do a 'route print'
with the VPN disconnected, and then again with the VPN up.

Copy and paste the 2 route tables in a reply to this message.

The reason I ask for this information is I have a suspicion the problem is
this:

I have a suspicion your lan is using a private IP address range,
for example 10.x.x.x. And the VPN is assigning a similar address, like
10.x.x.x.
The VPN client does ot use a subnet mask to determint the routing.
It uses the IP address 'class' and assumes a subnet mask of 255.0.0.0 which
routes
the *entire* 10.x.x.x subnet down the VPN.
This makes the 'local' 10.x.x.x subnet unreachable.

There's no way to delete this massive route hi-jacking and replace
it with a more specific subnetted route for the VPN, excluding the local
subnet.

To quote from:
http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/vpndeply.mspx

"When the Use default gateway on remote network check box is cleared,
a default route is not created, however, a route corresponding to the
Internet address class of the assigned IP address is created. For
example, if the address assigned during the connection process is
10.0.12.119,
the Windows 2000 and Windows XP VPN client creates a route for the
class-based network ID 10.0.0.0 with the subnet mask 255.0.0.0. "

I need to inspect the route tables to confirm this.

If this does turn out to be the problem, the only fix would be to
move the LAN to a different private IP address range, like 192.168.0.x.

 

[Steve Winograd [MVP]]

[snip]
To quote from:
http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/vpndeply.mspx

"When the Use default gateway on remote network check box is cleared,
a default route is not created, however, a route corresponding to the
Internet address class of the assigned IP address is created. For
example, if the address assigned during the connection process is
10.0.12.119,
the Windows 2000 and Windows XP VPN client creates a route for the
class-based network ID 10.0.0.0 with the subnet mask 255.0.0.0. "

Hi, Ron. I'd say that's a bug, not a feature. I've run into it
before when using a dial-up Internet connection, where it hijacked the
entire 32.0.0.0/255.0.0.0 subnet, even though my dial-up ISP only owns
a tiny fraction of that subnet.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Ron Lowe]

Hi, Ron. I'd say that's a bug, not a feature. I've run into it

before when using a dial-up Internet connection, where it hijacked the
entire 32.0.0.0/255.0.0.0 subnet, even though my dial-up ISP only owns
a tiny fraction of that subnet.

Yes, I remember the discussion.

It does seem that it was intentionally designed that way,
but goodness knows why.

It does seem bizarre that when an IP address is being assigned,
there can't be a subnet mask assigned with it.

Did you ever query the rationale behind this design 'feature'?