Split Tunnelling

I have one user on my office network that need to be connected to an VPN.
But she also needs access to her files/program on the network. So, she needs
to be on the office network and connected to the VPN simutenously. (Note:
she is not a remote user, she is physically in our office).

I found these articles explaining split tunneling
http://www.microsoft.com/technet/pro...fc0025ecc.mspx
http://www.microsoft.com/technet/com...uy/cg1003.mspx

The user is using XP Pro SP2. We are using Windows Server 2003. My
question is since only one user on the office network needs split tunnelling,
will all my other users be exempt from this?

First, if your LAN is a single subnet then you don't change anything. She
can still get to anything within her own subnet just fine even with the VPN
up.

If the LAN is multiple subnets then you would need the split tunneling. It
is just a "big word" for a simple thing. I didn't wast my time looking at
those articles,...all you do is go into her Properties of her Dialup VPN
Connection and uncheck (disable) "Use Gateway on Remote
Network",...there,...all done,...you are now using Split Tunneling. When it
is enabled (the default) you are not using Split Tunneling, when it is
disabled you are using Split Tunneling.

There can be a little more to it if the remote LAN has resources on multiple
subnets, but let's not go there unless we have to. In a nutshell, you just
add static routes on her local machine to cover for that.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Squid" <(E-Mail Removed)> wrote in message
newsC96D390-39E4-4029-B107-(E-Mail Removed)...
> I have one user on my office network that need to be connected to an VPN.
> But she also needs access to her files/program on the network. So, she
needs
> to be on the office network and connected to the VPN simutenously. (Note:
> she is not a remote user, she is physically in our office).
>
> I found these articles explaining split tunneling:
>
http://www.microsoft.com/technet/pro...fc0025ecc.mspx
> http://www.microsoft.com/technet/com...uy/cg1003.mspx
>
> The user is using XP Pro SP2. We are using Windows Server 2003. My
> question is since only one user on the office network needs split
tunnelling,
> will all my other users be exempt from this?
>
>

Yes, our LAN is a single subnet. The problem we were having is when she
would log onto the 3rd party's VPN, should would loose connection to our
network (and vice versa). The VPN is not Dialup, its connected via the
internet.

"Phillip Windell" wrote:

> First, if your LAN is a single subnet then you don't change anything. She
> can still get to anything within her own subnet just fine even with the VPN
> up.
>
> If the LAN is multiple subnets then you would need the split tunneling. It
> is just a "big word" for a simple thing. I didn't wast my time looking at
> those articles,...all you do is go into her Properties of her Dialup VPN
> Connection and uncheck (disable) "Use Gateway on Remote
> Network",...there,...all done,...you are now using Split Tunneling. When it
> is enabled (the default) you are not using Split Tunneling, when it is
> disabled you are using Split Tunneling.
>
> There can be a little more to it if the remote LAN has resources on multiple
> subnets, but let's not go there unless we have to. In a nutshell, you just
> add static routes on her local machine to cover for that.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "Squid" <(E-Mail Removed)> wrote in message
> newsC96D390-39E4-4029-B107-(E-Mail Removed)...
> > I have one user on my office network that need to be connected to an VPN.
> > But she also needs access to her files/program on the network. So, she
> needs
> > to be on the office network and connected to the VPN simutenously. (Note:
> > she is not a remote user, she is physically in our office).
> >
> > I found these articles explaining split tunneling:
> >
> http://www.microsoft.com/technet/pro...fc0025ecc.mspx
> > http://www.microsoft.com/technet/com...uy/cg1003.mspx
> >
> > The user is using XP Pro SP2. We are using Windows Server 2003. My
> > question is since only one user on the office network needs split
> tunnelling,
> > will all my other users be exempt from this?
> >
> >
>
>
>

"Squid" <(E-Mail Removed)> wrote in message
newsD8C26F8-8408-4C80-8A45-(E-Mail Removed)...
> Yes, our LAN is a single subnet. The problem we were having is when she
> would log onto the 3rd party's VPN, should would loose connection to our
> network (and vice versa). The VPN is not Dialup, its connected via the
> internet.

VPN is a "dialup" technology. The IP# = the "phone number" and the VPN
Adapter = the "dialup modem".

Then disable the "Use Gateway on Remote Network" as I said.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

in this case, you may do no thing except she has a problem to access the Internet or access remote resources. this may help, quoted from http://howtonetworking.com.

Split Tunnel issue in VPN

Situation: 1. After establishing a VPN connection, the VPN client can’t access the Internet.

2. After establishing a VPN connection, the VPN client can’t access other remote resources except the VPN server.

Analysis: by default, the VPN client adds the remote default route to its routing table and increases the metric of the existing default route to ensure that the remote default route is used. The remote default route points to the new connection, which ensures that any packets that are not addressed to the local LAN segment are sent to the remote network. In this case, the VPN client will not be able to access the Internet. Note: click here for example.

However, in other cases, if the VPN client doesn’t add the remote default route to its routing table or doesn’t increases the metric of the existing default route to ensure that the remote default route is used, the VPN client can’t reach the remote resources except the VPN server.

Resolutions: 1. On the VPN server, create a split tunnel to let the VPN client to access the Internet.

2. Alternatively, you can create batch file to delete the default router and another router for the remote network.

Case Study

Related Topics

VPN Browsing Issues
VPN Logon Issues
VPN Name Resolution
VPN as Router
VPN Routing Issues
VPN TCP/IP Settings
Ports for VPN
VPN/PPTP
VPN Slow Issues



Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

"Squid" <(E-Mail Removed)> wrote in message newsC96D390-39E4-4029-B107-(E-Mail Removed)...
I have one user on my office network that need to be connected to an VPN.
But she also needs access to her files/program on the network. So, she needs
to be on the office network and connected to the VPN simutenously. (Note:
she is not a remote user, she is physically in our office).

I found these articles explaining split tunneling:
http://www.microsoft.com/technet/pro...fc0025ecc.mspx
http://www.microsoft.com/technet/com...uy/cg1003.mspx

The user is using XP Pro SP2. We are using Windows Server 2003. My
question is since only one user on the office network needs split tunnelling,
will all my other users be exempt from this?

It doesn't really make sense that you lose local connectivity when a VPN
connection is made. Local machines on the same subnet/segment use direct "on
the wire" connection which take priority over any routes. Are you sure it
isn't a name resolution problem? Can you ping local addresses by IP?

Phillip Windell wrote:
> "Squid" <(E-Mail Removed)> wrote in message
> newsD8C26F8-8408-4C80-8A45-(E-Mail Removed)...
>> Yes, our LAN is a single subnet. The problem we were having is when
>> she would log onto the 3rd party's VPN, should would loose
>> connection to our network (and vice versa). The VPN is not Dialup,
>> its connected via the internet.
>
> VPN is a "dialup" technology. The IP# = the "phone number" and the
> VPN Adapter = the "dialup modem".
>
> Then disable the "Use Gateway on Remote Network" as I said.