"route"ing around vpn connection

D

Daniel Pratt

Occasionally I need to connect to a client's network via VPN. As long as the
connection is up I cannot connect to the general internet. The VPN adapter
becomes the default gateway and all internet traffic is (incorrectly) routed
across the VPN. This is an annoyance and I'm pretty sure there's a
straightforward way to fix it.

I'm assuming what I need to do is use the "route" command to alter the
routing table so that general traffic is routed over the LAN vs. the VPN.
When the VPN connection is "up" a few entries are added to the routing
table. I think the offending entry may be this one:

N. Dest N. Mask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.20.101 192.168.20.101
1

There is already an entry that looks like this:

N. Dest N. Mask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.57
21 (20 when VPN is disconnected)

I know that 192.168.20.101 is the address of the VPN adapter and
192.168.10.57 is the address of the LAN adapter. My limited understanding of
routing tables makes me believe that general traffic will be routed to the
VPN adapter via these entries. I thought that deleting the VPN route would
fix the internet traffic problem, but it did not. It did break the VPN
traffic, though. I'm thinking I want to route all 192.168.20.* traffic to
the VPN adapter and all other traffic to the LAN adapter.

Thanks for any help.

Regards,
Dan
 
S

Steve Winograd [MVP]

"Daniel Pratt" said:
Occasionally I need to connect to a client's network via VPN. As long as the
connection is up I cannot connect to the general internet. The VPN adapter
becomes the default gateway and all internet traffic is (incorrectly) routed
across the VPN. This is an annoyance and I'm pretty sure there's a
straightforward way to fix it.

I'm assuming what I need to do is use the "route" command to alter the
routing table so that general traffic is routed over the LAN vs. the VPN.
When the VPN connection is "up" a few entries are added to the routing
table. I think the offending entry may be this one:

N. Dest N. Mask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.20.101 192.168.20.101
1

There is already an entry that looks like this:

N. Dest N. Mask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.57
21 (20 when VPN is disconnected)

I know that 192.168.20.101 is the address of the VPN adapter and
192.168.10.57 is the address of the LAN adapter. My limited understanding of
routing tables makes me believe that general traffic will be routed to the
VPN adapter via these entries. I thought that deleting the VPN route would
fix the internet traffic problem, but it did not. It did break the VPN
traffic, though. I'm thinking I want to route all 192.168.20.* traffic to
the VPN adapter and all other traffic to the LAN adapter.

Thanks for any help.

Regards,
Dan
Click to expand...

Your diagnosis looks right to me. The "0.0.0.0" entries are default
routes, used to connect to all IP addresses that aren't on a local
area network. When there's more than one default route, the system
uses the one with the lowest metric, which is the VPN (1 vs. 21).

The simplest solution is to prevent the VPN connection from creating a
default route. Go into the VPN connection's Properties | Networking |
Internet Protocol (TCP/IP) | Properties | Advanced and un-check "Use
default gateway on remote network".

Two notes of caution:

1. If you VPN into a corporate network, tell the IT staff what you
want to do and ask them whether "split tunneling" (connecting
simultaneously to the VPN and the Internet on the same computer) is
allowed. Some companies forbid it because of the security risk to the
corporate network: your Internet access would be outside the corporate
firewall.

2. If the network that you VPN into has more than one subnet, you'll
need to define routes to other subnets after disabling the default
gateway on the VPN connection.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
A

Atal

Dan,
You need to use split-tunneling on the VPN device that
you are connecting to. The split tunnel will "bounce back"
or by-pass all non-network related traffic. For example,
Cisco PIX firewalls use the split-tunnel keyword to
implement the same.

Regards,
Atal
 
D

Daniel Pratt

Thanks much for the timely responses. I'll look into it when I have a
minute.
 
D

Daniel Pratt

Steve, your suggestion to uncheck "Use default gateway on remote network"
seems to have had the desired effect -- with one problem: I get rejected by
our ISA (proxy) server when trying to browse to an external web page. My
best guess at this point is that IE sees there is a connection and therefore
ignores the LAN stuff, including the proxy settings. Is there some way to
tell IE to *ignore* certain dial-up/vpn connections?

Okay, it just occurred to me to try to setup the VPN connection to use the
proxy...and it worked. I'm somewhat annoyed with IE at this point.

Regards,
Dan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Default Gateway on VPN Connection 1
windows routing problem 3
failed to modify routing table after VPN connection is establishedthru Routing and RAS 5
multiple vpn connections 2
Vista / W2K8 -- Outgoing VPN blocks RDP/LAN connection ? 0
Bad Route entry Magically Being Created 1
pptp vpn and not routing internet traffic 2
newbie routing question 2

Top