VPN client routing problem

I have vpn server (Windows 2003 with RRAS) with 2 NICs.
First NIC is connected to LAN and second to internet.
I have also 2 internet connections with 2 routers.
First connection is only for vpn access (connected to public NIC on my VPN
server).
Second connection is used for internet access (http, ftp,...) and it is
connected to my LAN.
Whan I connect to VPN server I have no acces to internet. I don't want to
disable 'use default gateway....' on my vpn client. I don't want also to use
my internet connection on VPN server for internet access.
I would like to set routing for vpn client so they use second router to
access internet.
I know that I can set routing on RRAS, but how to set default gateway only
for vpn clients?

regards,
Marcin

it seems to me that you need 3rd NIC or manually setup routing table as the following case,

routing
One router goes to the corporation email server and another one goes to the ...
Then, you add another router for the Internet access and want to use the ....
www.chicagotech.net/routing.htm

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Marcin" <(E-Mail Removed)> wrote in message news:4EA2E740-4E8C-46B6-AA7F-(E-Mail Removed)...
I have vpn server (Windows 2003 with RRAS) with 2 NICs.
First NIC is connected to LAN and second to internet.
I have also 2 internet connections with 2 routers.
First connection is only for vpn access (connected to public NIC on my VPN
server).
Second connection is used for internet access (http, ftp,...) and it is
connected to my LAN.
Whan I connect to VPN server I have no acces to internet. I don't want to
disable 'use default gateway....' on my vpn client. I don't want also to use
my internet connection on VPN server for internet access.
I would like to set routing for vpn client so they use second router to
access internet.
I know that I can set routing on RRAS, but how to set default gateway only
for vpn clients?

regards,
Marcin

I am surprised that your setup works at all. Two internet connections
usually cause all sorts of odd routing problems.

I can't think of any way to get your VPN client to use the LAN router.
For VPN to work, the VPN server's default route must point out to the
internet through the public NIC. For internet access through the other
router to work, its default route would need to be pointing to the LAN
router via the LAN NIC. There is no way to satisfy both of these
requirements at the same time.

Marcin wrote:
> I have vpn server (Windows 2003 with RRAS) with 2 NICs.
> First NIC is connected to LAN and second to internet.
> I have also 2 internet connections with 2 routers.
> First connection is only for vpn access (connected to public NIC on
> my VPN server).
> Second connection is used for internet access (http, ftp,...) and it
> is connected to my LAN.
> Whan I connect to VPN server I have no acces to internet. I don't
> want to disable 'use default gateway....' on my vpn client. I don't
> want also to use my internet connection on VPN server for internet
> access.
> I would like to set routing for vpn client so they use second router
> to access internet.
> I know that I can set routing on RRAS, but how to set default gateway
> only for vpn clients?
>
> regards,
> Marcin

that's right, but maybe exists some kind of software to setup routing based
on source address (vpn clients have ip addresses from private ip pool) ?

"Bill Grant" wrote:

> I am surprised that your setup works at all. Two internet connections
> usually cause all sorts of odd routing problems.
>
> I can't think of any way to get your VPN client to use the LAN router.
> For VPN to work, the VPN server's default route must point out to the
> internet through the public NIC. For internet access through the other
> router to work, its default route would need to be pointing to the LAN
> router via the LAN NIC. There is no way to satisfy both of these
> requirements at the same time.
>
> Marcin wrote:
> > I have vpn server (Windows 2003 with RRAS) with 2 NICs.
> > First NIC is connected to LAN and second to internet.
> > I have also 2 internet connections with 2 routers.
> > First connection is only for vpn access (connected to public NIC on
> > my VPN server).
> > Second connection is used for internet access (http, ftp,...) and it
> > is connected to my LAN.
> > Whan I connect to VPN server I have no acces to internet. I don't
> > want to disable 'use default gateway....' on my vpn client. I don't
> > want also to use my internet connection on VPN server for internet
> > access.
> > I would like to set routing for vpn client so they use second router
> > to access internet.
> > I know that I can set routing on RRAS, but how to set default gateway
> > only for vpn clients?
> >
> > regards,
> > Marcin
>
>
>

What source address could you use? How can you know what public IP
address your remote client will connect from? The private address is of no
use. The VPN data is encrypted and encapsulated inside a packet with a
public IP in the header.

Marcin wrote:
> that's right, but maybe exists some kind of software to setup routing
> based on source address (vpn clients have ip addresses from private
> ip pool) ?
>
> "Bill Grant" wrote:
>
>> I am surprised that your setup works at all. Two internet
>> connections usually cause all sorts of odd routing problems.
>>
>> I can't think of any way to get your VPN client to use the LAN
>> router. For VPN to work, the VPN server's default route must point
>> out to the internet through the public NIC. For internet access
>> through the other router to work, its default route would need to
>> be pointing to the LAN router via the LAN NIC. There is no way to
>> satisfy both of these requirements at the same time.
>>
>> Marcin wrote:
>>> I have vpn server (Windows 2003 with RRAS) with 2 NICs.
>>> First NIC is connected to LAN and second to internet.
>>> I have also 2 internet connections with 2 routers.
>>> First connection is only for vpn access (connected to public NIC on
>>> my VPN server).
>>> Second connection is used for internet access (http, ftp,...) and it
>>> is connected to my LAN.
>>> Whan I connect to VPN server I have no acces to internet. I don't
>>> want to disable 'use default gateway....' on my vpn client. I don't
>>> want also to use my internet connection on VPN server for internet
>>> access.
>>> I would like to set routing for vpn client so they use second router
>>> to access internet.
>>> I know that I can set routing on RRAS, but how to set default
>>> gateway only for vpn clients?
>>>
>>> regards,
>>> Marcin

Hi Bill

I know what IP address is assigned to vpn client by vpn server, I don't
need to know what public IP they have. Based on this information I can say
"route packets from IP pool assigned by vpn server to LAN gateway" (this
should be configured on vpn server). Public IP addresses are still routed by
gateway assigned to NIC connected to internet.
It should work, but I haven't tools on Windows to do it.
(Cisco has 'Police based routing' - with this feature you can set routing
based on source address).

Marcin

"Bill Grant" wrote:

> What source address could you use? How can you know what public IP
> address your remote client will connect from? The private address is of no
> use. The VPN data is encrypted and encapsulated inside a packet with a
> public IP in the header.
>
> Marcin wrote:
> > that's right, but maybe exists some kind of software to setup routing
> > based on source address (vpn clients have ip addresses from private
> > ip pool) ?
> >
> > "Bill Grant" wrote:
> >
> >> I am surprised that your setup works at all. Two internet
> >> connections usually cause all sorts of odd routing problems.
> >>
> >> I can't think of any way to get your VPN client to use the LAN
> >> router. For VPN to work, the VPN server's default route must point
> >> out to the internet through the public NIC. For internet access
> >> through the other router to work, its default route would need to
> >> be pointing to the LAN router via the LAN NIC. There is no way to
> >> satisfy both of these requirements at the same time.
> >>
> >> Marcin wrote:
> >>> I have vpn server (Windows 2003 with RRAS) with 2 NICs.
> >>> First NIC is connected to LAN and second to internet.
> >>> I have also 2 internet connections with 2 routers.
> >>> First connection is only for vpn access (connected to public NIC on
> >>> my VPN server).
> >>> Second connection is used for internet access (http, ftp,...) and it
> >>> is connected to my LAN.
> >>> Whan I connect to VPN server I have no acces to internet. I don't
> >>> want to disable 'use default gateway....' on my vpn client. I don't
> >>> want also to use my internet connection on VPN server for internet
> >>> access.
> >>> I would like to set routing for vpn client so they use second router
> >>> to access internet.
> >>> I know that I can set routing on RRAS, but how to set default
> >>> gateway only for vpn clients?
> >>>
> >>> regards,
> >>> Marcin
>
>
>

Then buy a Cisco!

Marcin wrote:
> Hi Bill
>
> I know what IP address is assigned to vpn client by vpn server, I
> don't need to know what public IP they have. Based on this
> information I can say "route packets from IP pool assigned by vpn
> server to LAN gateway" (this should be configured on vpn server).
> Public IP addresses are still routed by gateway assigned to NIC
> connected to internet.
> It should work, but I haven't tools on Windows to do it.
> (Cisco has 'Police based routing' - with this feature you can set
> routing based on source address).
>
> Marcin
>
> "Bill Grant" wrote:
>
>> What source address could you use? How can you know what public
>> IP address your remote client will connect from? The private address
>> is of no use. The VPN data is encrypted and encapsulated inside a
>> packet with a public IP in the header.
>>
>> Marcin wrote:
>>> that's right, but maybe exists some kind of software to setup
>>> routing based on source address (vpn clients have ip addresses from
>>> private ip pool) ?
>>>
>>> "Bill Grant" wrote:
>>>
>>>> I am surprised that your setup works at all. Two internet
>>>> connections usually cause all sorts of odd routing problems.
>>>>
>>>> I can't think of any way to get your VPN client to use the LAN
>>>> router. For VPN to work, the VPN server's default route must point
>>>> out to the internet through the public NIC. For internet access
>>>> through the other router to work, its default route would need to
>>>> be pointing to the LAN router via the LAN NIC. There is no way to
>>>> satisfy both of these requirements at the same time.
>>>>
>>>> Marcin wrote:
>>>>> I have vpn server (Windows 2003 with RRAS) with 2 NICs.
>>>>> First NIC is connected to LAN and second to internet.
>>>>> I have also 2 internet connections with 2 routers.
>>>>> First connection is only for vpn access (connected to public NIC
>>>>> on my VPN server).
>>>>> Second connection is used for internet access (http, ftp,...) and
>>>>> it is connected to my LAN.
>>>>> Whan I connect to VPN server I have no acces to internet. I don't
>>>>> want to disable 'use default gateway....' on my vpn client. I
>>>>> don't want also to use my internet connection on VPN server for
>>>>> internet access.
>>>>> I would like to set routing for vpn client so they use second
>>>>> router to access internet.
>>>>> I know that I can set routing on RRAS, but how to set default
>>>>> gateway only for vpn clients?
>>>>>
>>>>> regards,
>>>>> Marcin

Hi! I am not an expert on this issue but I would like to give a try on it.
Please don't hesitate to point out if I made an mistake.

Are you using the IPSec VPN client? If yes, the packet will be encrypted and
encapsulated in a packet with destination IP address being the one of the VPN
server. In theory the OS will only know about the packet is sending to the
VPN server (not other internet ip address used in the VPN). Therefore you can
just add a route to the ip address of the VPN server via your preferred
gateway, leaving the default gateway be the one you use to access the
internet.

--
circle


"Marcin" wrote:

> I have vpn server (Windows 2003 with RRAS) with 2 NICs.
> First NIC is connected to LAN and second to internet.
> I have also 2 internet connections with 2 routers.
> First connection is only for vpn access (connected to public NIC on my VPN
> server).
> Second connection is used for internet access (http, ftp,...) and it is
> connected to my LAN.
> Whan I connect to VPN server I have no acces to internet. I don't want to
> disable 'use default gateway....' on my vpn client. I don't want also to use
> my internet connection on VPN server for internet access.
> I would like to set routing for vpn client so they use second router to
> access internet.
> I know that I can set routing on RRAS, but how to set default gateway only
> for vpn clients?
>
> regards,
> Marcin