VPN client adds wrong route to local route table

Discussion in 'Windows Networking' started by snowdog_2112, Oct 29, 2005.

  1. snowdog_2112

    snowdog_2112 Guest

    Clients are WinXP sp2, VPN server is Win 2003.

    Clients are on 10.30.0.x
    Server is on 192.168.10.x network. Its IP is

    When I make a VPN connection from a 10.30.0.x host to the
    VPN server, I get a weird route in the client's routing table.

    It adds a route for the *server* IP, with the client's LAN gateway as
    the gateway.

    Before VPN Connection:
    Active Routes:
    Network Destination Netmask Gateway Interface
    Default Gateway:

    After connection:
    Active Routes:
    Network Destination Netmask Gateway Interface
    Default Gateway:

    Notice in the After table that there is a route for
    directed at The result is that I can ping anything on the
    192.168.10.x network *except* the server on

    I've tried this on an XP client to a Win2000 VPN server and did not
    experience the same issue. It seemed to just start happening here.

    Any help is appreciated.
    snowdog_2112, Oct 29, 2005
    1. Advertisements

  2. snowdog_2112

    snowdog_2112 Guest

    Also thought I'd mention that changing Use Default Gateway on Remote
    Network in the VPN client config makes no difference to the route
    snowdog_2112, Oct 29, 2005
    1. Advertisements

  3. snowdog_2112

    Bill Grant Guest

    That looks correct to me. The client should have a host route to the VPN
    server's "external" IP through the LAN gateway. That is where the encrypted
    and encapsulated data has to go for the VPN tunnel to work. You should be
    able to ping the server through the tunnel using its "virtual" IP. You can
    see what that is from the client. If you click on the connection icon it
    will show you both the client and server "virtual" IP addresses.

    The routing table you gave was probably made with the "use default
    gateway.." box cleared. Exactly what that setting does is explained in
    KB254231 .
    Bill Grant, Oct 30, 2005
  4. snowdog_2112

    snowdog_2112 Guest

    The problem I have is that the DNS and WINS settings that get assigned
    on the PPP connection are the address of the VPN server,
    so any nslookups or WINS lookups fail because those requests are
    directed out the client's LAN gateway.

    What you're suggesting is that any traffic from the VPN client to the
    VPN server is sent outside the tunnel. Since only the VPN ports are
    open on the router, those operations fail. Yet if I direct an nslookup
    to another server on the network (on the same segment as the VPN
    server), the lookups work.

    I think I'm missing something.

    Also, as I mentioned, I made a VPN connection from another client to a
    different VPN server and did not get a route for the VPN server -- just
    the route for the private network with a gateway of the PPP ip.

    Please let me know if I'm missing something here.
    snowdog_2112, Oct 31, 2005
  5. snowdog_2112

    Bill Grant Guest

    The client usually gets the DNS and WINS addresses which are configured
    Bill Grant, Oct 31, 2005
  6. snowdog_2112

    snowdog_2112 Guest

    That's correct. The VPN server is the AD server and acts as DNS/WINS.
    There is another DC on that is running DNS and WINS.
    ....and get a valid response, but

    nslookup 1921.68.10.10
    ....fails. I'm assuming because the traffic is going to over
    the client's interface because of that route on the client. is blocking all but 1723, GRE and ICMP (I can, incidentally,
    ping with the VPN connected).

    As a test, I denied ICMP at the router and pings to

    Incidentally, there is only one router between these segments -- in
    fact, the is one ethernet on the router and is a
    different ethernet on that same router. I don't see how that would
    cause this, but it occurred to me that it is worth mentioning.
    snowdog_2112, Oct 31, 2005
  7. snowdog_2112

    Bill Grant Guest

    You could try manually configuring the DNS and WINS addresses on the
    clients to point to the other server.
    Bill Grant, Oct 31, 2005
  8. snowdog_2112

    snowdog_2112 Guest

    I guess I'd be more interested in knowing how to fix the current issue
    -- I don't think I should be getting that route in the first place.
    I've not seen that in other VPN configurations I have done.
    snowdog_2112, Nov 1, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.