Problems with VPM and Default Gateway

From: allan grossman [mvp] (allan_grossman_at_hotmail.com)
Date: 04/23/04 

Date: Fri, 23 Apr 2004 07:32:33 -0700

Hi, Dave -

What you're asking for is a feature called 'split
tunneling' and is not supported by most business or
government networks I've seen. To be completely honest
if I were in charge of your client's network I'd route
all IP traffic through the VPN also - as allowing a PC to
act as a bridge between a trusted network and the
untrusted Internet creates a pretty huge security hole.
Anything that has access to your PC also has access to
the corporate network through the VPN - this includes
remote desktop applications, trojans, viruses, and even
fairly innocent applications run by less-than-innocent
users ;-)

If you're set on split tunneling it might be a good idea
to contact your client and ask them if they can help set
you up. Some VPNs can be configured to route only
certain ports through the VPN.

Hope this helps -

My guess is that your VPN client is routing all IP
traffic through the VPN - and that's generally not
configurable at the workstation end.

>-----Original Message-----
>I have been searching the Web and newsgroups for weeks
trying to
>determine the answer to this problem - if anyone knows
how to help,
>I'd be immensely grateful.
>
>My home office machine runs XP Pro and connects to
Sprint ADSL via a
>D-LINK DI-514 router and Zyxel 645M DSL model.
>
>That setup works fabulously on its own. However, when I
connect to
>one of my clients' networks via VPN, all traffic is
routed through the
>VPN even though the "use default gateway on remote
network" box is not
>checked in VPN properties. This causes all sorts of
problems for me,
>from DNS and routing resolution to apps like IM
disconnecting and
>reconnecting when the VPN is established or dropped. In
addition, I
>don't want my FTP, etc. transfers clogging up their
network 2000 miles
>away.
>
>Has anyone seen this problem before? If so, how was it
resolved?
>.
>

Relevant Pages

  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • TidBITS#792/15-Aug-05
    ... We also note the release of Security Update 2005-007, ... Macintosh FTP client, free for educational and charitable use. ... mentioned virtual private network (VPN) technologies. ...
    (comp.sys.mac.digest)
  • RE: VPN Error 800
    ... The VPN client IP is 10.0.1.40, this is a private IP address. ... server IP address is 81.137.105.244, this is a Internet IP address. ... not test VPN connection from your perimeter network. ... SBS on your switch to make it work. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN with SBS 2003 (not R2) and DSL.
    ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
    (microsoft.public.windows.server.sbs)
  • Re: OT By a mile in parts comments on Viet Nam
    ... check bank accouts etc etc whilst away but is safe to do so over wireless and using the hotel network.. ... you should regard your connection as insecure and use some ... form of encryption to protect your passwords and privacy. ... My recommendation would be to set up a VPN endpoint in the UK that you ...
    (uk.comp.sys.mac)