seeing outside corporate network when on VPN

When I work at home, I connect to the company intranet through the
company VPN from either my condo or my mothers house. In both cases I
use a netgear WGR614 wireless router. The VPN is located physically at
the company.

Once I am on the company intranet through the VPN, I can access the
company development websites, but I can't see the regular internet at
all. I would like to be able to see the regular internet as well as
the company intranet. What do I need to figure out ?


Here is what ip[config shows when I am not on the VPN:


C:\ugc\widget-bak\widgets>ipconfig

Windows IP Configuration


Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.2.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1

C:\ugc\widget-bak\widgets>



Here is what ipconfig shows when I am on the VPN, I edited the ip
address here for confidentiality of course:

=============================

C:\ugc\widget-bak\widgets>ipconfig

Windows IP Configuration


Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.2.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1

PPP adapter Connect to my-company Corporate LAN - Go to webvpn.my-
company.com in
stead of dialing directly:

Connection-specific DNS Suffix . : office.mycompany.com
IP Address. . . . . . . . . . . . : 10.6x.0.8x
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

C:\ugc\widget-bak\widgets>

(E-Mail Removed) <(E-Mail Removed)> wrote:
> Once I am on the company intranet through the VPN, I can access the
> company development websites, but I can't see the regular internet at
> all. I would like to be able to see the regular internet as well as
> the company intranet. What do I need to figure out ?

When you are at work, can you get to the internet?

This is likely a feature of your company's VPN configuration. With
Nortel, it is called "Mandatory Tunnel Mode", where it is mandatory that
all traffic pass through the VPN tunnel. This is usually a good thing,
unless you have devices on your local network that you want to reach.

The alternative would be split tunneling, where you would be able to see
devices through the VPN, and also your original network.

You have no control over it, but the VPN admins probably do.


There's also another set, where you can get to the company VPN, maybe the
internet through them, and also are allowed access to your home network, if
it is of the prescribed address setting. I forget what that's called.
Soft Tunneling?

--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

you will not be able to surf the web as you company has blocked access to it
for security reasons. Most major companies do this. It may be a breach of
security to attempt a bypass and could result in being dismissed.

"(E-Mail Removed)" <(E-Mail Removed)> wrote in message
news:2f8acf5c-8e1b-446d-a3ad-(E-Mail Removed)...
>
> When I work at home, I connect to the company intranet through the
> company VPN from either my condo or my mothers house. In both cases I
> use a netgear WGR614 wireless router. The VPN is located physically at
> the company.
>
> Once I am on the company intranet through the VPN, I can access the
> company development websites, but I can't see the regular internet at
> all. I would like to be able to see the regular internet as well as
> the company intranet. What do I need to figure out ?
>
>
> Here is what ip[config shows when I am not on the VPN:
>
>
> C:\ugc\widget-bak\widgets>ipconfig
>
> Windows IP Configuration
>
>
> Ethernet adapter Bluetooth Network Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
>
> Ethernet adapter Local Area Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
>
> Ethernet adapter Wireless Network Connection:
>
> Connection-specific DNS Suffix . :
> IP Address. . . . . . . . . . . . : 192.168.2.2
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.2.1
>
> C:\ugc\widget-bak\widgets>
>
>
>
> Here is what ipconfig shows when I am on the VPN, I edited the ip
> address here for confidentiality of course:
>
> =============================
>
> C:\ugc\widget-bak\widgets>ipconfig
>
> Windows IP Configuration
>
>
> Ethernet adapter Bluetooth Network Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
>
> Ethernet adapter Local Area Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
>
> Ethernet adapter Wireless Network Connection:
>
> Connection-specific DNS Suffix . :
> IP Address. . . . . . . . . . . . : 192.168.2.2
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.2.1
>
> PPP adapter Connect to my-company Corporate LAN - Go to webvpn.my-
> company.com in
> stead of dialing directly:
>
> Connection-specific DNS Suffix . : office.mycompany.com
> IP Address. . . . . . . . . . . . : 10.6x.0.8x
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . :
>
> C:\ugc\widget-bak\widgets>
>

"(E-Mail Removed)" <(E-Mail Removed)> hath wroth:

> When I work at home, I connect to the company intranet through the
>company VPN from either my condo or my mothers house. In both cases I
>use a netgear WGR614 wireless router. The VPN is located physically at
>the company.
>
> Once I am on the company intranet through the VPN, I can access the
>company development websites, but I can't see the regular internet at
>all. I would like to be able to see the regular internet as well as
>the company intranet. What do I need to figure out ?

That's the usual way a VPN is setup. When you're connected to the
corporate LAN (through the VPN), then you do not have access to the
internet. You can tweak it by changing the setting for the default
gateway. There are two choices. Use gateway on remote system and use
local gateway. The local gateway will give you internet access. It
will also probably violate the companies rules and open your system to
a grab bag of exploits and security issues. The worst would be to
bridge (or tunnel) between the internet and the corporate LAN,
essentially exposing the company network to the internet direction,
without the benifits of a firewall.

If you must surf the internet, disconnect from the corporate VPN, and
your default gateway will be restored to the local router, which will
give you internet access.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann <(E-Mail Removed)> wrote:
> That's the usual way a VPN is setup. When you're connected to the
> corporate LAN (through the VPN), then you do not have access to the
> internet.

I disagree. Your route to the internet is through the corporate LAN not
usually cut off. Most companies allow access to the internet.

> You can tweak it by changing the setting for the default gateway.

I disagree. If the corporate VPN is tunneled, you have no access to your
local LAN at all, including your own gateway.

Even with a split tunnel on a Nortel VPN, I can't change the routing once
the VPN is started. Some things I can set permanent routes for before I
connect the VPN, some are taken by the corporate VPN.

--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

(E-Mail Removed) hath wroth:

>Jeff Liebermann <(E-Mail Removed)> wrote:
>> That's the usual way a VPN is setup. When you're connected to the
>> corporate LAN (through the VPN), then you do not have access to the
>> internet.

>I disagree. Your route to the internet is through the corporate LAN not
>usually cut off. Most companies allow access to the internet.

Huh? I can't tell if you're suggesting that the route to the internet
must be through the corporate LAN, or if you're suggesting that it
might be. Either way will work because the only machines that should
be accessible through the VPN are those on the corporate LAN. Surfing
the web through the corporate LAN is not my idea of efficient use of
bandwidth.

>> You can tweak it by changing the setting for the default gateway.
>
>I disagree. If the corporate VPN is tunneled, you have no access to your
>local LAN at all, including your own gateway.

PPTP VPN TCP/IP setup has the option of "use default gateway on remote
network" as in:
<http://technet.microsoft.com/en-us/library/bb878117.aspx>
which explains how to get simultaneous internet and VPN access (split
tunnel), something I consider to a be a generally bad idea. All other
VPN clients have a similar option.

>Even with a split tunnel on a Nortel VPN, I can't change the routing once
>the VPN is started. Some things I can set permanent routes for before I
>connect the VPN, some are taken by the corporate VPN.

Well yeah. Nortel and SecureNet based VPN clients have manditory
settings that over-ride any tinkering you attempt. However, know that
I can setup a VPN using the SecureNet client, NOT enable manditory
settings, and tinker away merrily.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann <(E-Mail Removed)> hath wroth:

>PPTP VPN TCP/IP setup has the option of "use default gateway on remote
>network" as in:

Incidentally, note that the OP's VPN IP setup has no default gateway:

Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.2.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1

Connection-specific DNS Suffix . : office.mycompany.com
IP Address. . . . . . . . . . . . : 10.6x.0.8x
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

which implies that it was never intended to be used for general
internet access and that all access was to be with systems in the
10.xxx.xxx.xxx private IP block (presumeably on the corporate LAN).

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

"Jeff Liebermann" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> (E-Mail Removed) hath wroth:
>
> >Jeff Liebermann <(E-Mail Removed)> wrote:
> >> That's the usual way a VPN is setup. When you're connected to the
> >> corporate LAN (through the VPN), then you do not have access to the
> >> internet.
>
> >I disagree. Your route to the internet is through the corporate LAN not
> >usually cut off. Most companies allow access to the internet.
>
> Huh? I can't tell if you're suggesting that the route to the internet
> must be through the corporate LAN, or if you're suggesting that it
> might be. Either way will work because the only machines that should
> be accessible through the VPN are those on the corporate LAN. Surfing
> the web through the corporate LAN is not my idea of efficient use of
> bandwidth.

Corporate security teams dont care about efficiency - just "do it my way or
else"
>
> >> You can tweak it by changing the setting for the default gateway.
> >
> >I disagree. If the corporate VPN is tunneled, you have no access to your
> >local LAN at all, including your own gateway.
>
> PPTP VPN TCP/IP setup has the option of "use default gateway on remote
> network" as in:
> <http://technet.microsoft.com/en-us/library/bb878117.aspx>
> which explains how to get simultaneous internet and VPN access (split
> tunnel), something I consider to a be a generally bad idea. All other
> VPN clients have a similar option.
>
> >Even with a split tunnel on a Nortel VPN, I can't change the routing once
> >the VPN is started. Some things I can set permanent routes for before I
> >connect the VPN, some are taken by the corporate VPN.
>
> Well yeah. Nortel and SecureNet based VPN clients have manditory
> settings that over-ride any tinkering you attempt. However, know that
> I can setup a VPN using the SecureNet client, NOT enable manditory
> settings, and tinker away merrily.

The VPN server can be set up up to force the "no split tunnel" option on
some products.

"no split tunnel" seems to override the routing table on a cisco VPN client
so all the user traffic goes thru the tunnel.

there was a rash of VPN products that would "policy check" the client a few
years back.

The idea was the PC would have to have the right config running, virus
checker up to date etc, or it is not allowed onto the corp network until
that is fixed - it gets parked in a crippled DMZ where upgrades can be done
instead.
>
> --
> Jeff Liebermann (E-Mail Removed)
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558
--
Regards

(E-Mail Removed) - replace xyz with ntl

Jeff Liebermann <(E-Mail Removed)> wrote:
> Huh? I can't tell if you're suggesting that the route to the internet
> must be through the corporate LAN, or if you're suggesting that it
> might be. Either way will work because the only machines that should
> be accessible through the VPN are those on the corporate LAN. Surfing
> the web through the corporate LAN is not my idea of efficient use of
> bandwidth.

Efficiency isn't the point, access is. By tunneling into the corporate
LAN, corporate filters and firewalls can be applied to all traffic, making
the internet a little safer place to visit.

Sonic.net has VPN to their server for all of their subscribing WiFi
clients. I think that is offered as a security against WiFi snooping.

> which explains how to get simultaneous internet and VPN access (split
> tunnel), something I consider to a be a generally bad idea. All other
> VPN clients have a similar option.

If allowed by the VPN server that you are using. Even though my client
allows split tunneling, I couldn't use a split tunnel use a split tunnel
until I was added to the configured list of users with that permission.

> Well yeah. Nortel and SecureNet based VPN clients have manditory
> settings that over-ride any tinkering you attempt. However, know that
> I can setup a VPN using the SecureNet client, NOT enable manditory
> settings, and tinker away merrily.

I think not. You have to be able to configure the server as well.

--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

Jeff Liebermann <(E-Mail Removed)> wrote:
> which implies that it was never intended to be used for general
> internet access and that all access was to be with systems in the
> 10.xxx.xxx.xxx private IP block (presumeably on the corporate LAN).

I worked with a client whose VPN was _only_ for Lotus Notes. There was no
access to any other machine on their intranet.

Whatever... You don't get to chose what happens on the other side of the
VPN end point, and you might not get to chose what happens in your own
client.

--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5