A MS VPN is useless?

After weeks and weeks of pouring over Microsoft documents, I have come
to the conclusion that a MS VPN is useless. Please tell me where I am
incorrect:

I have successfully established a VPN connection from my home to a
server at the office. I am connected but nothing works, nothing is
pingable. After much research I discover the problem.

My home network is 10.0.0.x based. So is the server farm at work.
When I ping our web server at 10.0.12, how does it know I don't want
the workstation at home with the same IP?

Dead end. I am not re-assigning the entire server farm's IP block and
I'm not asking home users to do the same on their end. That's
entirely impractical. If I did re-assign the entire server farm's IP
addressing, what do I change it to? 192.168.0.x? What about the home
user that uses this range?

Every place I've read tells me I'm SOL. Why does this technology
violate the standards its based on and how could it ever be useful?

Thanks...

In article <(E-Mail Removed)> Tom
wilson<(E-Mail Removed)> wrote:

> Every place I've read tells me I'm SOL. Why does this
> technologyviolate the standards its based on and how could it ever be
> useful?
>

I don't think it violates any standards (not AFAIK), at least not in
regards to the behavior you're describing. That same behavior can be
observed in any number of operating systems in this kind of situation.
You will either a) need to give VPN users an IP address in a different
subnet, and make sure that is routable to your corporate network; or
b) tell your users they can't use 10.0.0.x for their home networks.
(I suppose you could re-address your server segment, but that's lunacy
to me.)

Regards,
Scott

--
I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo

"a) need to give VPN users an IP address in a different
subnet, and make sure that is routable to your corporate network"

Ok, so I connect with the server and it gives my connection an IP
address of say, 189.38.45.12. I try to ping 10.0.0.12. There's still
the confusion of the identical subnets. Is it pinging the office
server or a home workstation? (well, it pings nothing)

"b) tell your users they can't use 10.0.0.x for their home networks."

That would be a similar form of lunacy. So ok, I'll correct my post
heading and remove the "MS" part since all VPN's are pretty much
useless. I can't see what anyone could possibly use this for or how
it could possibly work without re-assigning IP blocks all over the
place.

Back to the old drawing board...

Thanks for the reply!




On Wed, 06 Jun 2007 10:16:33 -0700, Scott Lowe <(E-Mail Removed)> wrote:

>In article <(E-Mail Removed)> Tom
>wilson<(E-Mail Removed)> wrote:
>
>> Every place I've read tells me I'm SOL. Why does this
>> technologyviolate the standards its based on and how could it ever be
>> useful?
>>
>
>I don't think it violates any standards (not AFAIK), at least not in
>regards to the behavior you're describing. That same behavior can be
>observed in any number of operating systems in this kind of situation.
>You will either a) need to give VPN users an IP address in a different
>subnet, and make sure that is routable to your corporate network; or
>b) tell your users they can't use 10.0.0.x for their home networks.
>(I suppose you could re-address your server segment, but that's lunacy
>to me.)
>
>Regards,
>Scott

In message <(E-Mail Removed)> Tom wilson
<(E-Mail Removed)> wrote:

>Ok, so I connect with the server and it gives my connection an IP
>address of say, 189.38.45.12. I try to ping 10.0.0.12. There's still
>the confusion of the identical subnets. Is it pinging the office
>server or a home workstation? (well, it pings nothing)

No confusion at all, take a look at the metrics assigned to each
connection and you'll be able to tell which server will get pinged.

In general, with the default metrics, for newly established connections
(or new packets for stateless protocols), the connection will go out the
first VPN (sorted by highest speed of the parent connection of the VPN),
dialup, or ethernet (sorted by highest speed first) connection which has
a matching route.

It's actually a bit more complex then that, fire up a command prompt and
type "route print" to see the full listing of your current routes. In
general, and the most specific (smallest subnet) wins, and the highest
metric wins. This means you can reroute individual IPs to go out one
connection or another, or all sorts of other funness.

This means it generally "just works" with the only typical side effect
being that although you can access all remote resources, only some local
resources will be available while the VPN is up (if there is an IP
conflict).

You can manually reroute using the "route" command to route an IP back
to the local LAN, or disconnect the VPN to access local resources.

>"b) tell your users they can't use 10.0.0.x for their home networks."
>
>That would be a similar form of lunacy. So ok, I'll correct my post
>heading and remove the "MS" part since all VPN's are pretty much
>useless. I can't see what anyone could possibly use this for or how
>it could possibly work without re-assigning IP blocks all over the
>place.
>
>Back to the old drawing board...
>
>Thanks for the reply!

VPNs aren't the problem, the problem is that you're not using globally
unique IP addresses. Personally, I moved to a couple obscure /24s in
the 172.16/19 to dodge this issue, but there is always a chance I'll
visit a client's site that uses this same range.

I've actually been at a hotel or hotspot or something that used the same
IP range as I did at home, and required me to keep a browser window
refreshing their homepage every few minutes or it would timeout and
require me to reauthenticate via a HTTP interface -- It was a blast!

The real solution is for everyone to use globally unique IPs. IPv6 may
make this feasible, although in the real world you'll see tons of folks
putting crap behind NAT using "private" IPs anyway.

--
If quitters never win, and winners never quit,
what fool came up with, "Quit while you're ahead"?

"The real solution is for everyone to use globally unique IPs. IPv6
may make this feasible, although in the real world you'll see tons of
folks putting crap behind NAT using "private" IPs anyway."

So they are useless. There sure is a lot of hype over something thats
completely pointless. Thanks for the reply, it saves me wasting any
more time on it.

Thanks!



On Wed, 06 Jun 2007 13:49:03 -0600, DevilsPGD
<(E-Mail Removed)> wrote:

>In message <(E-Mail Removed)> Tom wilson
><(E-Mail Removed)> wrote:
>
>>Ok, so I connect with the server and it gives my connection an IP
>>address of say, 189.38.45.12. I try to ping 10.0.0.12. There's still
>>the confusion of the identical subnets. Is it pinging the office
>>server or a home workstation? (well, it pings nothing)
>
>No confusion at all, take a look at the metrics assigned to each
>connection and you'll be able to tell which server will get pinged.
>
>In general, with the default metrics, for newly established connections
>(or new packets for stateless protocols), the connection will go out the
>first VPN (sorted by highest speed of the parent connection of the VPN),
>dialup, or ethernet (sorted by highest speed first) connection which has
>a matching route.
>
>It's actually a bit more complex then that, fire up a command prompt and
>type "route print" to see the full listing of your current routes. In
>general, and the most specific (smallest subnet) wins, and the highest
>metric wins. This means you can reroute individual IPs to go out one
>connection or another, or all sorts of other funness.
>
>This means it generally "just works" with the only typical side effect
>being that although you can access all remote resources, only some local
>resources will be available while the VPN is up (if there is an IP
>conflict).
>
>You can manually reroute using the "route" command to route an IP back
>to the local LAN, or disconnect the VPN to access local resources.
>
>>"b) tell your users they can't use 10.0.0.x for their home networks."
>>
>>That would be a similar form of lunacy. So ok, I'll correct my post
>>heading and remove the "MS" part since all VPN's are pretty much
>>useless. I can't see what anyone could possibly use this for or how
>>it could possibly work without re-assigning IP blocks all over the
>>place.
>>
>>Back to the old drawing board...
>>
>>Thanks for the reply!
>
>VPNs aren't the problem, the problem is that you're not using globally
>unique IP addresses. Personally, I moved to a couple obscure /24s in
>the 172.16/19 to dodge this issue, but there is always a chance I'll
>visit a client's site that uses this same range.
>
>I've actually been at a hotel or hotspot or something that used the same
>IP range as I did at home, and required me to keep a browser window
>refreshing their homepage every few minutes or it would timeout and
>require me to reauthenticate via a HTTP interface -- It was a blast!
>
>The real solution is for everyone to use globally unique IPs. IPv6 may
>make this feasible, although in the real world you'll see tons of folks
>putting crap behind NAT using "private" IPs anyway.

In message <(E-Mail Removed)> Tom wilson
<(E-Mail Removed)> wrote:

>So they are useless. There sure is a lot of hype over something thats
>completely pointless. Thanks for the reply, it saves me wasting any
>more time on it.

VPNs are far from useless.

Like a hammer, they're a tool. Hammers are very good at hammering in
nails, but less then useful at screwing in a screw. This doesn't make
the hammer useless, just the wrong tool for the job.

Like a hammer, VPNs only solve specific problems, and only work in
specific cases -- For those cases, they are extremely powerful tools.

--
If quitters never win, and winners never quit,
what fool came up with, "Quit while you're ahead"?