When I work at home, I connect to the company intranet through the
company VPN from either my condo or my mothers house. In both cases I
use a netgear WGR614 wireless router. The VPN is located physically at
the company.
Once I am on the company intranet through the VPN, I can access the
company development websites, but I can't see the regular internet at
all. I would like to be able to see the regular internet as well as
the company intranet. What do I need to figure out ?
Here is what ip[config shows when I am not on the VPN:
C:\ugc\widget-bak\widgets>ipconfig
Windows IP Configuration
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
wbsurfver@yahoo.com <wbsurfver@gmail.com> wrote:
> Once I am on the company intranet through the VPN, I can access the
> company development websites, but I can't see the regular internet at
> all. I would like to be able to see the regular internet as well as
> the company intranet. What do I need to figure out ?
When you are at work, can you get to the internet?
This is likely a feature of your company's VPN configuration. With
Nortel, it is called "Mandatory Tunnel Mode", where it is mandatory that
all traffic pass through the VPN tunnel. This is usually a good thing,
unless you have devices on your local network that you want to reach.
The alternative would be split tunneling, where you would be able to see
devices through the VPN, and also your original network.
You have no control over it, but the VPN admins probably do.
There's also another set, where you can get to the company VPN, maybe the
internet through them, and also are allowed access to your home network, if
it is of the prescribed address setting. I forget what that's called.
Soft Tunneling?
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
you will not be able to surf the web as you company has blocked access to it
for security reasons. Most major companies do this. It may be a breach of
security to attempt a bypass and could result in being dismissed.
"wbsurfver@yahoo.com" <wbsurfver@gmail.com> wrote in message
news:2f8acf5c-8e1b-446d-a3ad-4e5a8396b40d@l32g2000hse.googlegroups.com...
>
> When I work at home, I connect to the company intranet through the
> company VPN from either my condo or my mothers house. In both cases I
> use a netgear WGR614 wireless router. The VPN is located physically at
> the company.
>
> Once I am on the company intranet through the VPN, I can access the
> company development websites, but I can't see the regular internet at
> all. I would like to be able to see the regular internet as well as
> the company intranet. What do I need to figure out ?
>
>
> Here is what ip[config shows when I am not on the VPN:
>
>
> C:\ugc\widget-bak\widgets>ipconfig
>
> Windows IP Configuration
>
>
> Ethernet adapter Bluetooth Network Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
>
> Ethernet adapter Local Area Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
>
> Ethernet adapter Wireless Network Connection:
>
> Connection-specific DNS Suffix . :
> IP Address. . . . . . . . . . . . : 192.168.2.2
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.2.1
>
> C:\ugc\widget-bak\widgets>
>
>
>
> Here is what ipconfig shows when I am on the VPN, I edited the ip
> address here for confidentiality of course:
>
> =============================
>
> C:\ugc\widget-bak\widgets>ipconfig
>
> Windows IP Configuration
>
>
> Ethernet adapter Bluetooth Network Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
>
> Ethernet adapter Local Area Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
>
> Ethernet adapter Wireless Network Connection:
>
> Connection-specific DNS Suffix . :
> IP Address. . . . . . . . . . . . : 192.168.2.2
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.2.1
>
> PPP adapter Connect to my-company Corporate LAN - Go to webvpn.my-
> company.com in
> stead of dialing directly:
>
> Connection-specific DNS Suffix . : office.mycompany.com
> IP Address. . . . . . . . . . . . : 10.6x.0.8x
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . :
>
> C:\ugc\widget-bak\widgets>
>
> When I work at home, I connect to the company intranet through the
>company VPN from either my condo or my mothers house. In both cases I
>use a netgear WGR614 wireless router. The VPN is located physically at
>the company.
>
> Once I am on the company intranet through the VPN, I can access the
>company development websites, but I can't see the regular internet at
>all. I would like to be able to see the regular internet as well as
>the company intranet. What do I need to figure out ?
That's the usual way a VPN is setup. When you're connected to the
corporate LAN (through the VPN), then you do not have access to the
internet. You can tweak it by changing the setting for the default
gateway. There are two choices. Use gateway on remote system and use
local gateway. The local gateway will give you internet access. It
will also probably violate the companies rules and open your system to
a grab bag of exploits and security issues. The worst would be to
bridge (or tunnel) between the internet and the corporate LAN,
essentially exposing the company network to the internet direction,
without the benifits of a firewall.
If you must surf the internet, disconnect from the corporate VPN, and
your default gateway will be restored to the local router, which will
give you internet access.
Jeff Liebermann <jeffl@cruzio.com> wrote:
> That's the usual way a VPN is setup. When you're connected to the
> corporate LAN (through the VPN), then you do not have access to the
> internet.
I disagree. Your route to the internet is through the corporate LAN not
usually cut off. Most companies allow access to the internet.
> You can tweak it by changing the setting for the default gateway.
I disagree. If the corporate VPN is tunneled, you have no access to your
local LAN at all, including your own gateway.
Even with a split tunnel on a Nortel VPN, I can't change the routing once
the VPN is started. Some things I can set permanent routes for before I
connect the VPN, some are taken by the corporate VPN.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
>Jeff Liebermann <jeffl@cruzio.com> wrote:
>> That's the usual way a VPN is setup. When you're connected to the
>> corporate LAN (through the VPN), then you do not have access to the
>> internet.
>I disagree. Your route to the internet is through the corporate LAN not
>usually cut off. Most companies allow access to the internet.
Huh? I can't tell if you're suggesting that the route to the internet
must be through the corporate LAN, or if you're suggesting that it
might be. Either way will work because the only machines that should
be accessible through the VPN are those on the corporate LAN. Surfing
the web through the corporate LAN is not my idea of efficient use of
bandwidth.
>> You can tweak it by changing the setting for the default gateway.
>
>I disagree. If the corporate VPN is tunneled, you have no access to your
>local LAN at all, including your own gateway.
PPTP VPN TCP/IP setup has the option of "use default gateway on remote
network" as in:
<http://technet.microsoft.com/en-us/library/bb878117.aspx>
which explains how to get simultaneous internet and VPN access (split
tunnel), something I consider to a be a generally bad idea. All other
VPN clients have a similar option.
>Even with a split tunnel on a Nortel VPN, I can't change the routing once
>the VPN is started. Some things I can set permanent routes for before I
>connect the VPN, some are taken by the corporate VPN.
Well yeah. Nortel and SecureNet based VPN clients have manditory
settings that over-ride any tinkering you attempt. However, know that
I can setup a VPN using the SecureNet client, NOT enable manditory
settings, and tinker away merrily.
which implies that it was never intended to be used for general
internet access and that all access was to be with systems in the
10.xxx.xxx.xxx private IP block (presumeably on the corporate LAN).
"Jeff Liebermann" <jeffl@cruzio.com> wrote in message
news:4ta0q3l5rji2tmdug0phtd7edotr4mrrqp@4ax.com...
> dold@06.usenet.us.com hath wroth:
>
> >Jeff Liebermann <jeffl@cruzio.com> wrote:
> >> That's the usual way a VPN is setup. When you're connected to the
> >> corporate LAN (through the VPN), then you do not have access to the
> >> internet.
>
> >I disagree. Your route to the internet is through the corporate LAN not
> >usually cut off. Most companies allow access to the internet.
>
> Huh? I can't tell if you're suggesting that the route to the internet
> must be through the corporate LAN, or if you're suggesting that it
> might be. Either way will work because the only machines that should
> be accessible through the VPN are those on the corporate LAN. Surfing
> the web through the corporate LAN is not my idea of efficient use of
> bandwidth.
Corporate security teams dont care about efficiency - just "do it my way or
else" :)
>
> >> You can tweak it by changing the setting for the default gateway.
> >
> >I disagree. If the corporate VPN is tunneled, you have no access to your
> >local LAN at all, including your own gateway.
>
> PPTP VPN TCP/IP setup has the option of "use default gateway on remote
> network" as in:
> <http://technet.microsoft.com/en-us/library/bb878117.aspx>
> which explains how to get simultaneous internet and VPN access (split
> tunnel), something I consider to a be a generally bad idea. All other
> VPN clients have a similar option.
>
> >Even with a split tunnel on a Nortel VPN, I can't change the routing once
> >the VPN is started. Some things I can set permanent routes for before I
> >connect the VPN, some are taken by the corporate VPN.
>
> Well yeah. Nortel and SecureNet based VPN clients have manditory
> settings that over-ride any tinkering you attempt. However, know that
> I can setup a VPN using the SecureNet client, NOT enable manditory
> settings, and tinker away merrily.
The VPN server can be set up up to force the "no split tunnel" option on
some products.
"no split tunnel" seems to override the routing table on a cisco VPN client
so all the user traffic goes thru the tunnel.
there was a rash of VPN products that would "policy check" the client a few
years back.
The idea was the PC would have to have the right config running, virus
checker up to date etc, or it is not allowed onto the corp network until
that is fixed - it gets parked in a crippled DMZ where upgrades can be done
instead.
>
> --
> Jeff Liebermann jeffl@cruzio.com
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558
--
Regards
Jeff Liebermann <jeffl@cruzio.com> wrote:
> Huh? I can't tell if you're suggesting that the route to the internet
> must be through the corporate LAN, or if you're suggesting that it
> might be. Either way will work because the only machines that should
> be accessible through the VPN are those on the corporate LAN. Surfing
> the web through the corporate LAN is not my idea of efficient use of
> bandwidth.
Efficiency isn't the point, access is. By tunneling into the corporate
LAN, corporate filters and firewalls can be applied to all traffic, making
the internet a little safer place to visit.
Sonic.net has VPN to their server for all of their subscribing WiFi
clients. I think that is offered as a security against WiFi snooping.
> which explains how to get simultaneous internet and VPN access (split
> tunnel), something I consider to a be a generally bad idea. All other
> VPN clients have a similar option.
If allowed by the VPN server that you are using. Even though my client
allows split tunneling, I couldn't use a split tunnel use a split tunnel
until I was added to the configured list of users with that permission.
> Well yeah. Nortel and SecureNet based VPN clients have manditory
> settings that over-ride any tinkering you attempt. However, know that
> I can setup a VPN using the SecureNet client, NOT enable manditory
> settings, and tinker away merrily.
I think not. You have to be able to configure the server as well.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
Jeff Liebermann <jeffl@cruzio.com> wrote:
> which implies that it was never intended to be used for general
> internet access and that all access was to be with systems in the
> 10.xxx.xxx.xxx private IP block (presumeably on the corporate LAN).
I worked with a client whose VPN was _only_ for Lotus Notes. There was no
access to any other machine on their intranet.
Whatever... You don't get to chose what happens on the other side of the
VPN end point, and you might not get to chose what happens in your own
client.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
> Jeff Liebermann <jeffl@cruzio.com> wrote:
> > Well yeah. Nortel and SecureNet based VPN clients have manditory
> > settings that over-ride any tinkering you attempt. However, know that
> > I can setup a VPN using the SecureNet client, NOT enable manditory
> > settings, and tinker away merrily.
You have a client that allows you to ignore server settings that are
mandatory?
That seems like rather buggy behavior. What does "mandatory" mean?
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
>> Well yeah. Nortel and SecureNet based VPN clients have manditory
>> settings that over-ride any tinkering you attempt. However, know that
>> I can setup a VPN using the SecureNet client, NOT enable manditory
>> settings, and tinker away merrily.
>I think not. You have to be able to configure the server as well.
Well, let's see if that's true. I'll dig out the secure laptop later
tonite and try it with the SecureNet client.
Connecting to my home network from the XP SP2 PPTP client, to ny home
DD-WRT PPTP server, I get:
My office LAN is on 192.168.111.xxx with the router at 192.168.111.33.
(Yeah, I know. I picked some goofy IP's long ago and have never
bothered to fix them). Note that that default gateway is the remote
router.
I'm still surfing the internet, but judging by the flashing lights,
the traffic is all going through the remote gateway. Checking with
traceroute:
C:\>tracert www.google.com
Tracing route to www.l.google.com [72.14.253.104]
over a maximum of 30 hops:
| 1 44 ms 48 ms 42 ms 192.168.15.1
| 2 46 ms 45 ms 39 ms dsl-63-249-85-gateway.cruzio.com [63.249.85.1]
| 3 117 ms 104 ms 105 ms 114.at-5-0-0.gw3.200p-sf.sonic.net [74.220.64.17]
| (blah-blah-blah...)
| 12 69 ms 71 ms 67 ms po-in-f104.google.com [72.14.253.104]
Yep. Cruzio is my ISP at home.
Now, I disconnect and uncheck the box labelled "use default gateway on
remote server". Now, the IP layout changes to:
Tracing route to www.l.google.com [72.14.253.103]
over a maximum of 30 hops:
| 1 1 ms <1 ms <1 ms router [192.168.111.33]
| 2 10 ms 9 ms 9 ms adsl-63-198-98-49.dsl.snfc21.pacbell.net [63.198.98.49]
| 3 10 ms 10 ms 10 ms dist1-vlan60.snfc21.pbi.net [216.102.187.130]
| 4 10 ms 10 ms 10 ms bb1-10g2-0.snfcca.sbcglobal.net [216.102.176.224]
|(blah-blah-blah...)
| 13 28 ms 30 ms 29 ms po-in-f103.google.com [72.14.253.103]
Now, the internet goes through the local gateway via PBI/SBC/AT&T.
I'll do the same thing with the SecureNet client later. However, I'm
fairly sure that if I save the config file as "non-editable", it will
not allow me to change the gateway.
Also, note that I effectively changed the default gateway on *MY* end,
even though the actual gateway is at the remote end. It's not exactly
the same as configuring the remote server, but is very close.
Egads, I goofed. If the remote VPN gateway field is blank, that means
that the local default gateway is active. If that's true, then the
original poster should have been able to surf the net with the
configuration he posted. Something is not quite right here.
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
> On Wed, 30 Jan 2008 20:06:41 +0000 (UTC), dold@06.usenet.us.com wrote:
> >I think not. You have to be able to configure the server as well.
> Well, let's see if that's true. I'll dig out the secure laptop later
> tonite and try it with the SecureNet client.
I changed my mind. If your client is allowed to "ignore" settings that
are said to be "mandatory", that is the broken part. But could a client
like that connect to my VPN server?
> Note that the default gateway on the remote system is blank, which
> means that the default gateway is the local system. Trying traceroute
> again:
Now that I have a split tunnel, my gateway is blank, leaving it up to
my local routing to decide where to route packets. I see that there are a
lot of entries in my route /print. I can't do anything to my routing, or
the VPN aborts with a complaint that routing can't be adjusted while the
VPN is active. If I set a persistent route before I start the VPN, I can
save some local access, like my cable modem at 192.168.100.1, but that
didn't work when I had mandatory tunneling.
When I had mandatory tunneling, my VPN gateway was my address on the VPN.
> original poster should have been able to surf the net with the
> configuration he posted. Something is not quite right here.
Like the model numbers and revision levels for hardware, it might be
helpful to know what products he is trying to use. In any properly set up
enterprise solution, I wouldn't expect the end user to be able to tamper
with things that the enterprise wanted to keep set.
If I connected to a hotspot somewhere, I always connected the tunneled VPN
as soon as possible.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
>I changed my mind. If your client is allowed to "ignore" settings that
>are said to be "mandatory", that is the broken part.
Well, there's nothing broken about being able to change the settings.
The SecureNet clients that I'm familiar with allow this within the
client configuration. Lots of options and config variations to get
lost in. I find myself doing all too much trial and error before I
get it right. However, once it's set and saves, I can mark the saved
file as "non-editable" which means no more tweaking allowed.
The big question is what does the IT department distribute.
Presumeably, it's the non-tweakable configuration the enforces the IT
departments edicts and does not allow routing changes. However, if
they're clueless, they could just as easily have distributed a saved
version that allows changes.
>But could a client
>like that connect to my VPN server?
Probably. Many IPSec clients are made to be fairly universal and will
connect to just about anything. However, some are really simplistic
and offer a limited number of compatible VPN servers.
>> Note that the default gateway on the remote system is blank, which
>> means that the default gateway is the local system. Trying traceroute
>> again:
>Now that I have a split tunnel, my gateway is blank, leaving it up to
>my local routing to decide where to route packets. I see that there are a
>lot of entries in my route /print. I can't do anything to my routing, or
>the VPN aborts with a complaint that routing can't be adjusted while the
>VPN is active. If I set a persistent route before I start the VPN, I can
>save some local access, like my cable modem at 192.168.100.1, but that
>didn't work when I had mandatory tunneling.
Oops. I guess I'm half wrong. Leaving the default gateway blank
allows local routing, but if the VPN stack checks for and prevents
changes, then it's not going to happen. That kinda makes sense
because the IT department does not know the IP address of your local
router and therefore would not normally configure it into their VPN
configuration.
>When I had mandatory tunneling, my VPN gateway was my address on the VPN.
Yeah. That sends literally everything through the VPN. That drives
me nuts when I have a local network printer, that magically becomes
inaccessible when the VPN is running. Depending on the VPN client, I
can sometimes setup a static route to the printer. More often, I'm
stuck with setting up a USB or parallel connection so the customer can
print.
>> original poster should have been able to surf the net with the
>> configuration he posted. Something is not quite right here.
>
>Like the model numbers and revision levels for hardware, it might be
>helpful to know what products he is trying to use.
Hey... that's my line. Copyright pending on my accompanying insults
and insulting remarks.
>In any properly set up
>enterprise solution, I wouldn't expect the end user to be able to tamper
>with things that the enterprise wanted to keep set.
Neither would I, but how does one accomidate creative home network
installations, such as my network printing problem? The easiest
solution is to use a hardware product with a dedicated VPN port. I'm
seeing more and more SSL VPN's, which are MUCH easier to setup and
configure, and don't have routing issues.
>If I connected to a hotspot somewhere, I always connected the tunneled VPN
>as soon as possible.
I have a VPN tunnel setup to my home and office networks. Nothing
fancy, just PPTP. However, I just use those for email and document
transfers. For moving files, I use WinSCP:
<http://winscp.net/eng/>
through an SSH tunnel. Works with most (not all) of the ISP's I deal
with. However, for general web browsing, I rely on SSL for commerce
security and don't care for the other stuff. VPN and SSL tunnels are
just too slow for general browsing. Besides, I don't need security
for downloading driver updates and such.
Incidentally, consider yourself at fault for ruining my evening. I
decided it was time to renumber the IP's in the office. That involved
changing the IP's of the router and my main server. Trying to
remember how to set the default route in SCO Unix 3.2v4.2 was no fun.
Then the printers crapped out and I had to reset their default route.
Now, SNMP is complaining, my syslog junk is going to the wrong server,
inside DNS is a mess, and I'm getting hungry. Before I can fix any of
the damage, I need a suitable culprit and you're it. Please note that
being blamed is actually an honor and that it is not necessary to
thank me.
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
> On Thu, 31 Jan 2008 02:08:27 +0000 (UTC), dold@06.usenet.us.com wrote:
> >I changed my mind. If your client is allowed to "ignore" settings that
> >are said to be "mandatory", that is the broken part.
> Well, there's nothing broken about being able to change the settings.
No, ignoring "mandatory" settings is broken, unless I misunderstand the
meaning of mandatory.
> Yeah. That sends literally everything through the VPN. That drives
> me nuts when I have a local network printer, that magically becomes
> inaccessible when the VPN is running. Depending on the VPN client, I
> can sometimes setup a static route to the printer. More often, I'm
> stuck with setting up a USB or parallel connection so the customer can
> print.
There is another VPN tunnel buzzword that I forget, that allows you to
access a defined LAN. It would be simple enough to tell everyone that
their home LAN needs to be 192.168.48.0 if they want access to their local
printer. A static persistent route to my network printer didn't work when
I had mandatory tunneling.
> >Like the model numbers and revision levels for hardware, it might be
> >helpful to know what products he is trying to use.
> Hey... that's my line. Copyright pending on my accompanying insults
> and insulting remarks.
That's why I used it ;-)
> Neither would I, but how does one accomidate creative home network
> installations, such as my network printing problem? The easiest
Lots of low end printers have WiFi built in now. The $399 1TB file server
thing at Best Buy only has network connections, no USB. My 10 year old
HP4000N has ethernet.
> with. However, for general web browsing, I rely on SSL for commerce
> security and don't care for the other stuff.
Yeah, but... It was there, I liked it.
> VPN and SSL tunnels are just too slow for general browsing.
The cable modem is my slow link. I can hit wire speed with or without VPN
to the same site.
> Incidentally, consider yourself at fault for ruining my evening. I
> decided it was time to renumber the IP's in the office. That involved
oh, never do that... I did that accidentally, by resetting my router to
defaults (hey, that was your advice!), losing my MAC-IP reservations, and
then I couldn't figure out (months later) why my file sharing didn't
work... firewall setup.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
>No, ignoring "mandatory" settings is broken, unless I misunderstand the
>meaning of mandatory.
Yeah, one would assume that mandatory means that you can't play with
the settings. However, there's some question as to how much of the
configuration is enforced in that manner. For example, if the IT
department was worried about the other family machines on the LAN
getting into the corporate LAN via the VPN, the configuration might
intentionally disconnect all local LAN connections (like the network
printer). On the other foot, if they wanted to accomodate weird and
all to common home networks, they could leave the local LAN devices
accessible (and by implication, user reconfigurable). Lots of options
and possibilities.
>There is another VPN tunnel buzzword that I forget, that allows you to
>access a defined LAN.
Static route?
>It would be simple enough to tell everyone that
>their home LAN needs to be 192.168.48.0 if they want access to their local
>printer.
I have 2 network printers at home. 3 more in the office. I just got
a Samsung CLP-550N color laser printer, so I guess that's now 4 in the
office. Never mind all the NAS (network attached storage) boxes at
both locations. I don't think IT wants to deal with my home
nightmare.
Much more disgusting is when the corporate LAN at the end of the VPN
and the local LAN both have the same class C IP block. For example,
if both are on 192.168.1.xxx. It won't take much to create a
duplicate IP address even if the tunnel is assigned a different IP
block. That's why I use 192.168.111.xxx for my office LAN and use
other numbers for my customers.
>A static persistent route to my network printer didn't work when
>I had mandatory tunneling.
Yep. Same here depending on where I point the gateway.
>> >Like the model numbers and revision levels for hardware, it might be
>> >helpful to know what products he is trying to use.
>
>> Hey... that's my line. Copyright pending on my accompanying insults
>> and insulting remarks.
>
>That's why I used it ;-)
For a moment, I thought you were emulating my style, agreeing with my
methodology, and adopting all my bad habits. Please don't scare me
like that again.
>Lots of low end printers have WiFi built in now. The $399 1TB file server
>thing at Best Buy only has network connections, no USB. My 10 year old
>HP4000N has ethernet.
Yep. And as soon as you connect to your corporate VPN, they all
disappear from your LAN.
>The cable modem is my slow link. I can hit wire speed with or without VPN
>to the same site.
Some things are just too slow to run over a VPN, as compared to using
a remote desktop (PC Anywhere, VNC, MS remote desktop, etc) solution.
For example, running a program that insists on constantly loading and
unloading a bunch of small modules to do things is really slothish on
a VPN, but perfectly usable with remote desktop software.
>> Incidentally, consider yourself at fault for ruining my evening. I
>> decided it was time to renumber the IP's in the office. That involved
>
>oh, never do that... I did that accidentally, by resetting my router to
>defaults (hey, that was your advice!), losing my MAC-IP reservations, and
>then I couldn't figure out (months later) why my file sharing didn't
>work... firewall setup.
Nicely done. I'm still recovering from the damage done when changing
IP's, but it's not too horrible. I still have some boxes to tweak. As
for resetting the router, I accept the responsibility but not the
blame. Any decent router should have a way to save the settings. I
never reset anything without first saving the settings. However, I
was playing with the flashing lights and the GPIO command last night.
One of the GPIO commands initiated a grand reset to defaults of the
router. This was not exactly planned and required that I restore from
my backups. Fortunately, I've been doing firmware upgrades, so there
were plenty of previous backups. I also have printed copies, but
those would take some effort to excavate. Incidentally, I carry the
saved settings with me on a USB dongle because I use them as templates
for creating newer setups.
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
> On Thu, 31 Jan 2008 05:35:48 +0000 (UTC), dold@06.usenet.us.com wrote:
> >There is another VPN tunnel buzzword that I forget, that allows you to
> >access a defined LAN.
> Static route?
No. This is an allowance to get to specified network ranges when even a
static route wouldn't work. Mandatory tunneling with an exception.
I thought I saw a buzzword applied, but now all I can find is my own
coining of the phrase "soft tunneling" ;-(
Cisco docs define networks to be tunneled verses clear. Your 192.168.111
could be defined as clear.
"The default is to tunnel all traffic. To set a split tunneling policy,
enter the split-tunnel-policy command in group-policy configuration mode.
The excludespecified keyword defines a list of networks to which traffic
goes in the clear. This feature is useful for remote users who want to
access devices on their local network, such as printers, while they are
connected to the corporate network through a tunnel. This option applies
only to the Cisco VPN client.
The tunnelall keyword specifies that no traffic goes in the clear or to any
other destination than the security appliance. This, in effect, disables
split tunneling. Remote users reach Internet networks through the corporate
network and do not have access to local networks. This is the default
option.
The tunnelspecified keyword tunnels all traffic from or to the specified
networks. This option enables split tunneling. It lets you create a network
list of addresses to tunnel. Data to all other addresses travels in the
clear and is routed by the remote user's Internet service provider.
"
> Much more disgusting is when the corporate LAN at the end of the VPN
> and the local LAN both have the same class C IP block. For example,
That led to a statement of fact by our IT group that Linksys routers
wouldn't work with VPN, only SMC. The truth was that our small corporate
LAN used the default subnet, and that was the same as the default on
Linksys. SMC had a different default subnet, so your home network wouldn't
conflict with the VPN.
> >A static persistent route to my network printer didn't work when
> >I had mandatory tunneling.
> Yep. Same here depending on where I point the gateway.
I would ask why a static route would be affected by where you pointed the
gateway, but I'm bored with mandatory verses split.
> Some things are just too slow to run over a VPN, as compared to using
> a remote desktop (PC Anywhere, VNC, MS remote desktop, etc) solution.
That's not VPN verses unencrypted, that's thin client verses dragging the
data across a WAN to your server.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
seeing outside corporate network when on VPN 
Linear Mode
