RE: Help Please!
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 10 Jan 2002 22:20:41 +0100
Hi guys,
you certainly need to read Thaddeus Fortenberry's book about W2K virtual
private networking (see my previous mail). Then you will understand how it
works (client-side routing). There's nothing wrong with it, but you have to
take it into account when designing your vpn. I will try to highlight the
important points.
The vpn client gets his/her ip-address, dns and wins from a static pool or a
dhcp server (internal network). A subnetmask is not given to the client!
Therefore you will see a subnet mask of 255.255.255.255 (host entry) when
doing a route print on the client.
If on the client 'use default gateway on remote network' is checked, the vpn
client will get a new default gateway who points to the tunnel interface.
So, all request not for the 'local net' (seen by the client) will be routed
through the tunnel to the vpn server. No split tunneling is possible. In
other words, the vpn client can, when the tunnel is active, no longer
communicate directly with other remote networks (i.e. the Internet). This is
very good from a security point of view.
However, if on the vpn client 'use default gateway on remote network' is NOT
checked, it becomes a little bit tricky. The client gets a route to the
classfull network id from which he got an ip-address. An example: clients
gets ip-address 10.1.2.3 (out of a pool 10.1.2.0/24) and on the client you
will find a new route to 10.0.0.0/8 who points to the tunnel interface.
Suppose now that the central internal network has also another subnet
128.1.0.0/16. How can we tell the client to route to that subnet through the
tunnel? There is at this moment no easy way todo it.
Conclusion: as long as 'use default gateway on remote network' is checked,
you will have no problems!
Hope this helps a little bit...
Stefaan
-----Original Message-----
From: Stephen Herrera [mailto:sherrera@xxxxxxxxxx]
Sent: donderdag 10 januari 2002 17:17
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Help Please!
http://www.ISAserver.org
i am having the same problem with that automatic subnet mask. so far i have
been unable to change it. please post if you find something.
steve
-----Original Message-----
From: Quita Harris [mailto:qharris@xxxxxxxx]
Sent: Thursday, January 10, 2002 7:22 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Help Please!
http://www.ISAserver.org
Hi Jason,
Thanks again for ALL your assistence, you got me on the right track. I see
where the invalid subnet mask is coming from, when I enter the block of
static IPS in RRAS (rightclick of RRAS server container, select IP
tab)there is no option to enter a subnet mask and some how an automatic
mask is generated. that's what I need to resolve.
Thanks Again
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sherrera@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
