DHCP Classless Static Routes

I am using Windows 2000 RRAS for my VPN Server. It's internal Network
interface is 192.168.0.52. My VPN clients connect directly to the RRAS
Server's external interface, and recieve a DHCP Address from the internal
DHCP Server, and can successfully access any host/system on the
192.168.0.x/24 subnet across the VPN.

However, I need them to additionally access 192.168.1.x/24. All internal
client PC's can access this with DHCP option 3, their default gateway.
Getting this route to the VPN Clients using DHCP Option 33 is not working,
and I don't want to enable "use default gateway on remote network" for my
VPN Clients.

I'd like to implement Option 121 or 249 on my Windows 2000 Server DHCP
Server, but cannot find an article on exactly how to set that up. Our
upgrade to Windows 2003 isn't going to happen for some time, so I cannot
wait until then.

Can anyone identify for me how to implement Option 121 or Option 249 on a
Windows 2000 DHCP Server for use with Windows 2000 RRAS VPN Clients?

None of that will do you any good. Remote clients don't work like LAN
clients.

The only way to do it (without enabling "use default gateway..") is to
add a route to the client, so that the traffic for the additional subnet is
sent across the VPN link. This is not simple, because you can't just add a
static route to the client (because you don't know the gateway address until
the client connects. The gateway address is the "received" IP.) You probably
need to use a script which can plug the correct IP address into a route
command after it connects. See KB 254231 for details of how the routing
works on remote access clients.

You may be able to do this sort of thing using CMAK.

"J. Smith" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am using Windows 2000 RRAS for my VPN Server. It's internal Network
>interface is 192.168.0.52. My VPN clients connect directly to the RRAS
>Server's external interface, and recieve a DHCP Address from the internal
>DHCP Server, and can successfully access any host/system on the
>192.168.0.x/24 subnet across the VPN.
>
> However, I need them to additionally access 192.168.1.x/24. All internal
> client PC's can access this with DHCP option 3, their default gateway.
> Getting this route to the VPN Clients using DHCP Option 33 is not working,
> and I don't want to enable "use default gateway on remote network" for my
> VPN Clients.
>
> I'd like to implement Option 121 or 249 on my Windows 2000 Server DHCP
> Server, but cannot find an article on exactly how to set that up. Our
> upgrade to Windows 2003 isn't going to happen for some time, so I cannot
> wait until then.
>
> Can anyone identify for me how to implement Option 121 or Option 249 on a
> Windows 2000 DHCP Server for use with Windows 2000 RRAS VPN Clients?
>

Soooooo??? Does that mean Option 249 with Windows 2003 isn't going to work?

Is there anyway to get the VPN Clients in RRAS to assume 192.168.0.0/21
instead of 192.168.0.0/24 as their subnet, rather than adding routes then?

Is there a MS trick for how to deploy RRAS as a VPN Server in multiple
subnet networks?




"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> None of that will do you any good. Remote clients don't work like LAN
> clients.
>
> The only way to do it (without enabling "use default gateway..") is to
> add a route to the client, so that the traffic for the additional subnet
> is sent across the VPN link. This is not simple, because you can't just
> add a static route to the client (because you don't know the gateway
> address until the client connects. The gateway address is the "received"
> IP.) You probably need to use a script which can plug the correct IP
> address into a route command after it connects. See KB 254231 for details
> of how the routing works on remote access clients.
>
> You may be able to do this sort of thing using CMAK.
>
> "J. Smith" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I am using Windows 2000 RRAS for my VPN Server. It's internal Network
>>interface is 192.168.0.52. My VPN clients connect directly to the RRAS
>>Server's external interface, and recieve a DHCP Address from the internal
>>DHCP Server, and can successfully access any host/system on the
>>192.168.0.x/24 subnet across the VPN.
>>
>> However, I need them to additionally access 192.168.1.x/24. All internal
>> client PC's can access this with DHCP option 3, their default gateway.
>> Getting this route to the VPN Clients using DHCP Option 33 is not
>> working, and I don't want to enable "use default gateway on remote
>> network" for my VPN Clients.
>>
>> I'd like to implement Option 121 or 249 on my Windows 2000 Server DHCP
>> Server, but cannot find an article on exactly how to set that up. Our
>> upgrade to Windows 2003 isn't going to happen for some time, so I cannot
>> wait until then.
>>
>> Can anyone identify for me how to implement Option 121 or Option 249 on a
>> Windows 2000 DHCP Server for use with Windows 2000 RRAS VPN Clients?
>>
>
>

"J. Smith" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Soooooo??? Does that mean Option 249 with Windows 2003 isn't going to
> work?
>
> Is there anyway to get the VPN Clients in RRAS to assume 192.168.0.0/21
> instead of 192.168.0.0/24 as their subnet, rather than adding routes then?
>
> Is there a MS trick for how to deploy RRAS as a VPN Server in multiple
> subnet networks?

Enabling "use default gateway on remote network" *is* the trick. That is how
it was meant to work.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Did you read the KB?

"J. Smith" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Soooooo??? Does that mean Option 249 with Windows 2003 isn't going to
> work?
>
> Is there anyway to get the VPN Clients in RRAS to assume 192.168.0.0/21
> instead of 192.168.0.0/24 as their subnet, rather than adding routes then?
>
> Is there a MS trick for how to deploy RRAS as a VPN Server in multiple
> subnet networks?
>
>
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
>> None of that will do you any good. Remote clients don't work like LAN
>> clients.
>>
>> The only way to do it (without enabling "use default gateway..") is to
>> add a route to the client, so that the traffic for the additional subnet
>> is sent across the VPN link. This is not simple, because you can't just
>> add a static route to the client (because you don't know the gateway
>> address until the client connects. The gateway address is the "received"
>> IP.) You probably need to use a script which can plug the correct IP
>> address into a route command after it connects. See KB 254231 for details
>> of how the routing works on remote access clients.
>>
>> You may be able to do this sort of thing using CMAK.
>>
>> "J. Smith" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>I am using Windows 2000 RRAS for my VPN Server. It's internal Network
>>>interface is 192.168.0.52. My VPN clients connect directly to the RRAS
>>>Server's external interface, and recieve a DHCP Address from the internal
>>>DHCP Server, and can successfully access any host/system on the
>>>192.168.0.x/24 subnet across the VPN.
>>>
>>> However, I need them to additionally access 192.168.1.x/24. All
>>> internal client PC's can access this with DHCP option 3, their default
>>> gateway. Getting this route to the VPN Clients using DHCP Option 33 is
>>> not working, and I don't want to enable "use default gateway on remote
>>> network" for my VPN Clients.
>>>
>>> I'd like to implement Option 121 or 249 on my Windows 2000 Server DHCP
>>> Server, but cannot find an article on exactly how to set that up. Our
>>> upgrade to Windows 2003 isn't going to happen for some time, so I cannot
>>> wait until then.
>>>
>>> Can anyone identify for me how to implement Option 121 or Option 249 on
>>> a Windows 2000 DHCP Server for use with Windows 2000 RRAS VPN Clients?
>>>
>>
>>
>
>

As the KB points out, the subnet mask depends entirely on the received
IP. If you were using 10. addresses you would get an 8-bit subnet mask and
it would work. Similarly 172.16 addresses would get you a 16-bit mask and it
would work. 192.168. addresses will get you a 24-bit mask.

"Bill Grant" <not.available@online> wrote in message
news:%23%23fa%(E-Mail Removed).. .
> Did you read the KB?
>
> "J. Smith" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Soooooo??? Does that mean Option 249 with Windows 2003 isn't going to
>> work?
>>
>> Is there anyway to get the VPN Clients in RRAS to assume 192.168.0.0/21
>> instead of 192.168.0.0/24 as their subnet, rather than adding routes
>> then?
>>
>> Is there a MS trick for how to deploy RRAS as a VPN Server in multiple
>> subnet networks?
>>
>>
>>
>>
>> "Bill Grant" <not.available@online> wrote in message
>> news:(E-Mail Removed)...
>>> None of that will do you any good. Remote clients don't work like LAN
>>> clients.
>>>
>>> The only way to do it (without enabling "use default gateway..") is
>>> to add a route to the client, so that the traffic for the additional
>>> subnet is sent across the VPN link. This is not simple, because you
>>> can't just add a static route to the client (because you don't know the
>>> gateway address until the client connects. The gateway address is the
>>> "received" IP.) You probably need to use a script which can plug the
>>> correct IP address into a route command after it connects. See KB 254231
>>> for details of how the routing works on remote access clients.
>>>
>>> You may be able to do this sort of thing using CMAK.
>>>
>>> "J. Smith" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>>I am using Windows 2000 RRAS for my VPN Server. It's internal Network
>>>>interface is 192.168.0.52. My VPN clients connect directly to the RRAS
>>>>Server's external interface, and recieve a DHCP Address from the
>>>>internal DHCP Server, and can successfully access any host/system on the
>>>>192.168.0.x/24 subnet across the VPN.
>>>>
>>>> However, I need them to additionally access 192.168.1.x/24. All
>>>> internal client PC's can access this with DHCP option 3, their default
>>>> gateway. Getting this route to the VPN Clients using DHCP Option 33 is
>>>> not working, and I don't want to enable "use default gateway on remote
>>>> network" for my VPN Clients.
>>>>
>>>> I'd like to implement Option 121 or 249 on my Windows 2000 Server DHCP
>>>> Server, but cannot find an article on exactly how to set that up. Our
>>>> upgrade to Windows 2003 isn't going to happen for some time, so I
>>>> cannot wait until then.
>>>>
>>>> Can anyone identify for me how to implement Option 121 or Option 249 on
>>>> a Windows 2000 DHCP Server for use with Windows 2000 RRAS VPN Clients?
>>>>
>>>
>>>
>>
>>
>
>

I understand by initial design, RRAS implements/supports routing based on
the IP Class given to it's Clients. As Bill mentions. If I am trying to
route a 21 bit subnet mask, I must have a moderately complex and large
network of systems within the network, making it unbearable to change this.

This all being said, I still believe since we subnet to the Class C, and in
many cases subnet the actual Class C, and route between them on a layer 3,
this is still within the "theoretical" implementation ideology of the subnet
class standards. With this in mind, isn't this why RFC 3442 was drafted for
DHCP Option 249 "Classless Routes". Even more so, shouldn't there be a way
to implement a subnetmask only for VPN Clints on the VPN Server in the
"relay agent's" settings.

While I completely agree with Phillip, that the "use default gateway on
remote network" client setting does the trick, this does not satisfy my need
to allow my users to use their own internet connection for their needs while
connected to our VPN. We time out idle sessions after 20 min of inactivity,
and only allow UDP 53 (for name resolution) and TCP 3389 (for RDP) across
the tunnel. Therefore, my "concern" for the connection to be hijacked by a
hacking attempt on their computer is very minimal. We're using Microsoft
PPTP for crying out loud. There are droves of security consultants that
would start their fix by nixing MS all together. I on the other hand
completely disagree with these "so-called" security experts, and further
endorse that unless ANY vpn client implements 2-factor authentication, they
are all equally weak. But this is not the subject of my concern.

I am looking for validation that Option 249 when assigned to the DHCP Remote
Access Class, on a Windows 2003 DHCP server will work for my VPN routing
issue. And if so, is there any possible way to implement this on a Windows
2000 Server? Or even use Option 33 or 121 for just RRAS Clients. Further
more, if it will only work with Windows 2003 DHCP server, does this also
imply that the RRAS server won't support handout of these options unless it
also is Windows 2003?

Thanks every for your terrific ideas! As a previous contract employee at
MS, I'll continue to support MS, as long as MS continues to deliver the
support to the community. So I look forward to your knowledge.



"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> As the KB points out, the subnet mask depends entirely on the received
> IP. If you were using 10. addresses you would get an 8-bit subnet mask
> and it would work. Similarly 172.16 addresses would get you a 16-bit mask
> and it would work. 192.168. addresses will get you a 24-bit mask.
>
> "Bill Grant" <not.available@online> wrote in message
> news:%23%23fa%(E-Mail Removed).. .
>> Did you read the KB?
>>
>> "J. Smith" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Soooooo??? Does that mean Option 249 with Windows 2003 isn't going to
>>> work?
>>>
>>> Is there anyway to get the VPN Clients in RRAS to assume 192.168.0.0/21
>>> instead of 192.168.0.0/24 as their subnet, rather than adding routes
>>> then?
>>>
>>> Is there a MS trick for how to deploy RRAS as a VPN Server in multiple
>>> subnet networks?
>>>
>>>
>>>
>>>
>>> "Bill Grant" <not.available@online> wrote in message
>>> news:(E-Mail Removed)...
>>>> None of that will do you any good. Remote clients don't work like
>>>> LAN clients.
>>>>
>>>> The only way to do it (without enabling "use default gateway..") is
>>>> to add a route to the client, so that the traffic for the additional
>>>> subnet is sent across the VPN link. This is not simple, because you
>>>> can't just add a static route to the client (because you don't know the
>>>> gateway address until the client connects. The gateway address is the
>>>> "received" IP.) You probably need to use a script which can plug the
>>>> correct IP address into a route command after it connects. See KB
>>>> 254231 for details of how the routing works on remote access clients.
>>>>
>>>> You may be able to do this sort of thing using CMAK.
>>>>
>>>> "J. Smith" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>>I am using Windows 2000 RRAS for my VPN Server. It's internal Network
>>>>>interface is 192.168.0.52. My VPN clients connect directly to the RRAS
>>>>>Server's external interface, and recieve a DHCP Address from the
>>>>>internal DHCP Server, and can successfully access any host/system on
>>>>>the 192.168.0.x/24 subnet across the VPN.
>>>>>
>>>>> However, I need them to additionally access 192.168.1.x/24. All
>>>>> internal client PC's can access this with DHCP option 3, their default
>>>>> gateway. Getting this route to the VPN Clients using DHCP Option 33 is
>>>>> not working, and I don't want to enable "use default gateway on remote
>>>>> network" for my VPN Clients.
>>>>>
>>>>> I'd like to implement Option 121 or 249 on my Windows 2000 Server DHCP
>>>>> Server, but cannot find an article on exactly how to set that up. Our
>>>>> upgrade to Windows 2003 isn't going to happen for some time, so I
>>>>> cannot wait until then.
>>>>>
>>>>> Can anyone identify for me how to implement Option 121 or Option 249
>>>>> on a Windows 2000 DHCP Server for use with Windows 2000 RRAS VPN
>>>>> Clients?
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>