VPN Clients and subnet, NOT the usual "255.255.255.255 subnet mask" question!

Greetings,

I have my Window VPN client properties set to *NOT* use the default
gateway on remote network (for policy reasons). The RAS server is a
Win2000 Server. The RAS server is handing out IP's from its own pool.
The netmask on the pool is 255.255.255.192.

I get the typical route for the VPN address with the host mask
(255.255.255.255). I also get a route for the class C of the RAS
server, with gateway of my client IP.

0.0.0.0 0.0.0.0 10.175.192.97
10.175.192.113 10 <=== Local IP
10.175.192.96 255.255.255.224 10.175.192.113 10.175.192.113
10
10.175.192.113 255.255.255.255 127.0.0.1 127.0.0.1
10
192.168.89.0 255.255.255.0 192.168.89.7 192.168.89.7
1 <=== VPN IP
192.168.89.7 255.255.255.255 127.0.0.1 127.0.0.1
50

The problem is, the RAS server's subnet mask is not 255.255.255.0, but
is really 255.255.240.0. The LAN is in a larger subnet than a single
class C.

Therefore, my VPN cannot reach any devices on the LAN that are between
192.168.80.0 and 192.168.88.255, even though they are on the same LAN.
If I manually add a route at the client ("route add 192.168.80.0 mask
255.255.240.0 192.168.89.7" in this case), it works fine.

Question 1: can I have the RAS server assign that static route using
the IP assigned to the VPN client as the gateway -- without enabling
the "use default gateway on remote network"?

Question 2: Why am I getting a route for the class C? Is this because
I am *not* using the default gateway on remote network?

Thanks.

"snowdog_2112" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Question 1: can I have the RAS server assign that static route using
> the IP assigned to the VPN client as the gateway -- without enabling
> the "use default gateway on remote network"?

No.

> Question 2: Why am I getting a route for the class C?

You're not supposed to.

> Is this because I am *not* using the default gateway on remote network?

Yes. That is exactly why. It is a security risk to not enable that,...that
is why it is enabled by default. This is all designed the way it is on
purpose. Without it, you will have to manually add a route at the client
(every VPN client) as you described earlier.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Hey, thanks for the quick response!

I was thinking the "use default gateway" option was not as good because
it forces *all* of the traffic from the VPN client out my Internet
connection. I have 3rd party people in, and I don't want to be
providing Internet access for them -- what if they are VPN'd in and
download porn over my connection?

Isn't it safer to just have them access my network over the VPN
connection and use the internet out their own connection (split tunnel,
so to speak)?

Please correct me if I'm missing something here. Thanks!


Phillip Windell wrote:
> "snowdog_2112" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> > Question 1: can I have the RAS server assign that static route using
> > the IP assigned to the VPN client as the gateway -- without enabling
> > the "use default gateway on remote network"?
>
> No.
>
> > Question 2: Why am I getting a route for the class C?
>
> You're not supposed to.
>
> > Is this because I am *not* using the default gateway on remote network?
>
> Yes. That is exactly why. It is a security risk to not enable that,...that
> is why it is enabled by default. This is all designed the way it is on
> purpose. Without it, you will have to manually add a route at the client
> (every VPN client) as you described earlier.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com

"snowdog_2112" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I was thinking the "use default gateway" option was not as good because
> it forces *all* of the traffic from the VPN client out my Internet
> connection.

No. It forces all traffic not destined to your personal machine's own local
subnet through the VPN. That's not quite the same thing although it may
seem subtile.

> I have 3rd party people in, and I don't want to be
> providing Internet access for them -- what if they are VPN'd in and
> download porn over my connection?

That is up to you to not allow that to happen. See below.

> Isn't it safer to just have them access my network over the VPN
> connection and use the internet out their own connection (split tunnel,
> so to speak)?

The design is meant to protect the network being "VPN'ed" into. It is not to
protect the local personal machine. You fool around on the Net
independently,..get infected with something,...spead it to the LAN you
VPN'ed into. By forcing the non-local traffic over the VPN, the remote LAN
you connect to is able to filter your evil browsing habits using whatever
product or means they have in place to do that. For example,...if you VPN
into our system I can completely prevent you from browsing the Internet
totally if I wish,...problem solved.

Remember that even if you have a proxy server configured in your Browser's
"LAN/Connection" settings,...these will be ignored while the VPN is active.
VPN is a "dialup" technology,...if you look in the browser settings you will
see the VPN and other Dialup Connections if they exist. If you look at the
"Settings" of each one you will find that they each have their own
independent proxy settings,...so if you VPN into my system you have to
assign proxy setting to that particular VPN Connectiod and would have to use
my proxy and fall under the restrictions that I set on that proxy. The "use
remote gateway" prevents you from "sidestepping" my proxy and going to the
Internet intependently and possibly speading some infection to me. However
unchecking that box causes you to not get anywhere on my LAN beyond the
particular subnet the you "dialed into". Hence some Admins have specific
small subnets that accept the VPN dialins but leave the user "trapped" there
if the "use remote gateway" is not enabled.

BTW - This is all "old stuff". Back in the days when dialup was popular
this all worked the same way. VPN is just a new form of Dialup and falls
under the same principles.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

To get back to a question in the original post, it was asked why you get
a 24-bit
subnet mask for your subnet route. The reason is that this mask is generated
by the client machine itself. The mask depends solely on the address it
receives. It does not get the subnet mask address from the server.

Since the subnet mask depends only on the received IP it uses the old
class rules. So if it gets a 192.168.x.y address it uses a 24-bit mask. If
it gets a 10.x.y.z address it uses an 8-bit mask. As Phillip said this is
old stuff. It was a bit different in NT/W98. There is a description of the
differences in KB 254231.

Phillip Windell wrote:
> "snowdog_2112" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
>> I was thinking the "use default gateway" option was not as good
>> because it forces *all* of the traffic from the VPN client out my
>> Internet connection.
>
> No. It forces all traffic not destined to your personal machine's
> own local subnet through the VPN. That's not quite the same thing
> although it may seem subtile.
>
>> I have 3rd party people in, and I don't want to be
>> providing Internet access for them -- what if they are VPN'd in and
>> download porn over my connection?
>
> That is up to you to not allow that to happen. See below.
>
>> Isn't it safer to just have them access my network over the VPN
>> connection and use the internet out their own connection (split
>> tunnel, so to speak)?
>
> The design is meant to protect the network being "VPN'ed" into. It is
> not to protect the local personal machine. You fool around on the Net
> independently,..get infected with something,...spead it to the LAN you
> VPN'ed into. By forcing the non-local traffic over the VPN, the
> remote LAN you connect to is able to filter your evil browsing habits
> using whatever product or means they have in place to do that. For
> example,...if you VPN into our system I can completely prevent you
> from browsing the Internet totally if I wish,...problem solved.
>
> Remember that even if you have a proxy server configured in your
> Browser's "LAN/Connection" settings,...these will be ignored while
> the VPN is active. VPN is a "dialup" technology,...if you look in the
> browser settings you will see the VPN and other Dialup Connections if
> they exist. If you look at the "Settings" of each one you will find
> that they each have their own independent proxy settings,...so if you
> VPN into my system you have to assign proxy setting to that
> particular VPN Connectiod and would have to use my proxy and fall
> under the restrictions that I set on that proxy. The "use remote
> gateway" prevents you from "sidestepping" my proxy and going to the
> Internet intependently and possibly speading some infection to me.
> However unchecking that box causes you to not get anywhere on my LAN
> beyond the particular subnet the you "dialed into". Hence some
> Admins have specific small subnets that accept the VPN dialins but
> leave the user "trapped" there if the "use remote gateway" is not
> enabled.
> BTW - This is all "old stuff". Back in the days when dialup was
> popular this all worked the same way. VPN is just a new form of
> Dialup and falls under the same principles.