VPN router to connect LAN to external network

[member 141630]

Hi,
I have head office running with a working VPN router for incoming connections - works fine. Uses Windows 2003 server PPTP.
I can connect fine using Windows VPN clients on an individual basis.

However....

I wish to connect the LAN of a remote office over the internet to the head office lan transparently so the users don't need to initiate connections. This means that remote users will be able to access our lan. All straightforward so far...

However, here's the catch - When the remote office wish to access the internet they end up going IN to the head office LAN via VPN and then out to the internet using the head office connection. This is very wasteful of bandwidth.

I'm looking for an 'all-in-one' solution that has routing rules so if the traffic is destined for a 'head office' address it goes via the VPN tunnel, but if the traffic is destined for an 'internet address' the traffic is routed via normal means.

The connections to the internet are all ADSL BTW.

I could of course leave the ADSL router intact, and set up two internal routers, one routing the VPN traffic and the other routing to the internet with appropriate routing tables but to have THREE devices to solve this issue is overkill (IMHO!!).

I can't find anyone offering an all-in-one solution to resolve this issue and I don't have the time to sit down and try to work out the Linux way of doing it! Also I'm not looking at spending too much money either!

 

[ChicagoTechNet]

this is a good question. This is routing table issue. this quotation from

http://www.chicagotech.net

may help.

VPN Routing Analysis

B. VPN Client Routing

Before connecting to the VPN server, all traffic except 192.168.0.0 will go through default gateway 192.168.0.1.

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.105 30
.............
Default Gateway: 192.168.0.1

After connecting to the VPN server with using default gateway on remote network settings, all traffic except 192.168.0.0 will go to default gateway 192.168.1.3 (VPN server assigned ip). If subnet 192.168.1.x doesn't point to the Internet default gateway, the VPN client won't be able to access the Internet.

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.105 31
0.0.0.0 0.0.0.0 192.168.1.3 192.168.1.3 1
67.203.43.194 255.255.255.255 192.168.0.1 192.168.0.105 30
............
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 50
..............
Default Gateway: 192.168.1.3

The VPN client may be able to access the Internet if you uncheck Use default gateway in remote network. However, if your remote network resources are located in another subnet like 10.x.x.x, you may not be able to access the resources because the traffic goes to Default Gateway 192.168.0.1.

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.105 30
67.203.43.194 255.255.255.255 192.168.0.1 192.168.0.105 30
.................
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 1
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 50
..................
Default Gateway: 192.168.0.1

To solve this problem, you may add 10.0.0.0 subnet into the route table so that you can access to 10.0.0.0 network. To do this, type command on client: route add 10.0.0.0 mask 255.255.0.0 192.168.0.1. The route table looks like the below after adding 10.0.0.0 subnet.

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.105 30
10.0.0.0 255.255.0.0 192.168.1.3 192.168.1.3 1
67.203.43.194 255.255.255.255 192.168.0.1 192.168.0.105 30
.................
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 1
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 50
..................
Default Gateway: 192.168.0.1

Alternatively, to be able to access the Internet and also 10.0.0.0 subnet, you may need to modify the route table manually. You may use the following commands route delete 0.0.0.0, route add 10.0.0.0 mask 255.255.0.0 192.168.1.3 and route add 0.0.0.0 mask 0.0.0.0 192.168.0.1. After the modification, the VPN client should have this route table and the client will be able to access the remote network, the local network and the Internet:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.105 1
10.0.0.0 255.255.0.0 192.168.1.3 192.168.1.3 1
67.203.43.194 255.255.255.255 192.168.0.1 192.168.0.105 30
.................
Default Gateway: 192.168.0.1





Robert Lin, MS-MVP, MCSE & CNE
Windows, Network, Internet, VPN, Routing and How to at

http://www.ms-mvps.com

 

[pmf71]

There's a simpler way to do this:

look up MS knowledgebase document 252735.

It explains how to configure ipsec tunnels in w2k server (also works for 2003).

I've succesfully configured an ipsec tunnel between two w2k servers AND between a w2k server and a draytek vigor 2600.

For ease of terms I'd call it an IPSec router, Because all the ipsec policy does is create static routes which are IPSec encrypted on the way.

No hardware vpn routers needed, although your current routers MUST support ipsec passthrough. w2k server SP4 or server 2003 required.

Try it, and let me know how it works out, i check in often so if u need any help leave your email behind and i'll contact you.

 

[pmf71]

Correction. I'd lose my head if it wasnt screwed on.

All it requires is two pc's with w2k prof SP4.

All w2k and up products support ipsec policies.

anyway just read the MS document and if u need any advice on how to set this up just leave your email behind.