Saturday, June 14, 2008

Split-Tunneling for PPTP vpn clients

As far as I can tell Split-Tunneling isn't supported by the Windows XP vpn client.  By split-tunneling I mean sending traffic destined for the private network through the encrypted tunnel while sending all other traffic over the VPN client's local gateway.  What this means is that remote users that connect via VPN can access private/company network resources but CAN'T access the internet (this setup has no router, just a PIX firewall).  This is a real bummer for users; they have to repeatedly disconnect then reconnect just to access the internet while they're accessing the company network.

 

Windows XP's vpn client bumps up the metric of the client's local default gateway (from 1 to 11 on my machine) and adds the new vpn pool address as the new default gateway.  This can be seen in the output of "route print" from a command prompt; there will be 2 0.0.0.0 0.0.0.0 entries - these are the original default gateway (which has a metric of 11) and the VPN pool default gateway (which has a metric of 1).  Since routers use the route with the lowest metric, traffic only gets routed over the VPN tunnel.

 


However, if the vpn address pool overlaps the private network pool then windows adds a network route (a route for all packets destined for a network) instead of a default route (0.0.0.0 0.0.0.0 = a route to use if nothing else matches).  So traffic destined for the company/private network gets routed properly and all other traffic uses the client's local gateway.  Be sure to disable the "use default gateway on remote network" tcp/ip option in the XP vpn connection settings otherwise clients won't be able to access the internet.

 

 

No comments :

Post a Comment