Re: VPN Client Incorrect Netmask (Vista -> Win2K3)
- From: RLTusch <RLTusch@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 25 May 2008 14:29:01 -0700
Hi, Mike.
No, you are not imagining things.
Microsoft programmers SEVERLY damaged the VPN Client in Vista and Server 2008.
.... and yes, the original MS VPN Client was designed to allow you to
establish more than one simultaneous VPN connection (limited to two in
workstation products such as Windows XP, etc. - Refer to Microsoft's product
documentation for more information.)
The problem you are experiencing is due to a flaw in Vista's AND Server
2008's implementation of the MS VPN Client.
With Windows 2000, XP, and 2003 Server the VPN client would receive the DNS
server, "connection specific" DNS domain suffix, and the appropriate Subnet
Mask from the DHCP server at the remote (VPN Server) side (if a DHCP Server
was used and the RRAS router's DHCP Relay was configured correctly).
What is happening with Vista and Server 2008 is that the code of the VPN
client is giving you a Subnet mask based on the first Octet of the IP address
that it receives, instead of obtaining the mask by query as it does in
Windows XP. (It also writes the DNS Server addresses to the registry in
reverse order from the order the server side issues... not to mention that,
in several scenarios, it ignores the DNS Domain name that is given to it.)
Microsoft has been notified of this many times, by many people (myself
included) but I still have not found a fix for it, short of manually altering
the routing table after you establish the VPN connection. SP1 for Vista did
not correct the problem, either.
I have also called in a complaint to Microsoft's customer service center
earlier this week.
We all need to apply pressure to Microsoft to fix what they broke! I am
advising all of my customers with field reps who VPN into their central
offices to NOT upgrade to Vista, until Microsoft fixes their problem with the
VPN client.
For my clients who are purchasing new laptops for their field reps who need
VPN capability, I am advising them to use Linux on the laptops, and deploy
Citrix on their servers. The Linux distros that I have tested have a working
VPN Client.
I have Vista Ultimate x64 on my machine, and I have written a script that
corrects the DNS issues after VPN connection. I'm also working on a script
that will correct the subnet mask issue.
Since I am not a big-shot developer working for Microsoft, it took me about
a week to perfect my DNS script. It should take me about the same amount of
time to script the subnet mask fix.
Interesting... if I can fix the DNS issues in Microsoft's VPN Client in one
week, why has Microsoft STILL NOT fixed it after 1.5 yesrs?
I think they have lost their expertise in networking.
I hope someone can get Microsoft to fix their broken code... until then, I
wish you well.
RLTusch
"Mike Petito" wrote:
On Mar 13, 11:40 pm, "Bill Grant" <not.available@online> wrote:.
No there isn't really any way around that problem. The dialup client was
designed to allow a remote user to connect to a LAN and access the resources
there. It was not designed to allow simultaneous access to many different
sites. You have very limited options. It really boils down to having a
default route to the remote server or a subnet route. See KB 254231.
"Mike Petito" <petit...@xxxxxxxxx> wrote in message
news:0775aa5a-07e7-4510-ad90-2be44f76ea9f@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
From my development machine running Windows Vista, I often have to
establish multiple VPN connections to Windows 2003 servers on
different networks (i.e. for maintenance at different hosting
environments).
In each case, the remote subnet that I connect to is a 10.x.y.z/24.
For example, the remote subnet might be 10.88.0.0/24 and I would
access IP addresses in the range 10.88.0.1 through 10.88.0.255. When
a particular VPN connection is established, my local routing table (as
the client) is modified with the following entries:
Network Destination Netmask Gateway Interface
Metric
10.0.0.0 255.0.0.0 10.88.0.80
10.88.0.81 21
10.88.0.81 255.255.255.255 On-link
10.88.0.81 276
This works just fine for one connection. Notice, however, that the
routing table entry states that the remote subnet is 10.0.0.0/8.
According to this post:
http://groups.google.com/group/microsoft.public.windows.server.networ...
"Since the subnet mask depends only on the received IP it uses the old
class rules. So if it gets a 192.168.x.y address it uses a 24-bit
mask. If it gets a 10.x.y.z address it uses an 8-bit mask."
The problem arises when I establish an additional VPN connection to
any 10.x.y.z/24 subnet, for example, 10.88.1.0/24. The only network
that is accessible is the first. I need a way to convey to Windows
that in fact the remote network is not a /8, it is a /24, so that both
networks are accessible over VPN concurrently.
For each connection, the "use default gateway" option is unchecked.
It doesn't appear that there are any other significant connection
options for the routing of a VPN connection.
Does anyone know of a way to make this work?
That seems pretty amazing to me... if it was not designed to allow
simultaneous access to many different sites, then why does Windows let
me establish many concurrent VPN connections?
I realize that I can modify the routing table manually to make any
number of connections work. In my example above, I would have to
perform the following route operations from within an escalated
command prompt:
[Connect VPN to 10.88.0.0/8 subnet]
route delete 10.0.0.0
route add 10.88.0.0 MASK 255.255.255.0 <gateway IP> IF <interface ID
VPN #1>
[Connect VPN to 10.88.1.0/8 subnet]
route delete 10.0.0.0
route add 10.88.1.0 MASK 255.255.255.0 <gateway IP> IF <interface ID
VPN #2>
This becomes only slightly obnoxious, depending on how many times
throughout the day I need to connect to various sites.
Using procmon, I was able to monitor the registry activity that occurs
while establishing a VPN connection, and notice the following string
value being assigned the mask 255.0.0.0:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
\<Interface GUID>\DhcpSubnetMask
However, this entire key appears to be reset every time the VPN
connection is established.
I suppose it is asking too much to be able to define properties of the
remote subnet for a particular VPN connection? I can envision several
useful enhancements, including the ability to define any number of
subnets that should be accessed across a particular VPN connection.
Maybe I need to setup a VPN gateway on a Linux box. I'm sure I'm not
the only person with such problems...
- Follow-Ups:
- Re: VPN Client Incorrect Netmask (Vista -> Win2K3)
- From: Bill Grant
- Re: VPN Client Incorrect Netmask (Vista -> Win2K3)
- Prev by Date: Re: Cannot access network share
- Next by Date: Re: VPN Client Incorrect Netmask (Vista -> Win2K3)
- Previous by thread: Connect to VS R2 from XP Pro?.....
- Next by thread: Re: VPN Client Incorrect Netmask (Vista -> Win2K3)
- Index(es):
Relevant Pages
|
