Can't "Split-Tunnel" using Microsoft VPN Setup

[montanablue2]

I'm having an issue with multiple users connecting with a Microsoft VPN client to a Microsoft VPN server (W2K). They would like to be able to browse the internet on their public network at the same time they access our private network with VPN. They can't do it. I've tried to get it working for them using the Microsoft KB's with no luck (uncheck "Use Default Gateway on Remote Network&quot. I've also tried adding static persistent routes to their PC's (it won't let me do it, tells me it can't find the interface) to route between the public and private networks. I've upgraded their cable modem service to see if that makes a difference. I've tried different machines with no luck. Tried Windows XP. No luck. This is only happening to some clients, not all. Some are going directly through a cable modem, some through both a router and a cable modem at their home. They can connect to the VPN fine. Has anybody seen this one before?

 

[John Lewis]

. . .'They can't do it' . .

Which can they not do? Can they not access the remote LAN, or can they not browse the internet?

Assuming your problem is the internet, unchecking the 'use default gateway on remote network' is a must. If the VPN connection has been live since the last DHCP lease, you may need to renew the lease to reset the default route (at a command prompt, type 'ifconfig /renew').

Failing that, what kind of errors are you seeing when browsing the internet?

Look at the routing table on the client computer (at a command prompt, type 'route print'). If you need help interpreting the results, post back.

If that looks ok, try a few pings. Try 'ping yahoo.com'. If that doesn't work, try 'ping xxx.xxx.xxx.xxx' a couple of times, once with the ip of the client's ISP gateway, and againg with another known ip address somewhere on the internet. Report your results, be specific. Ping always works. Might not give what you want, but the specific messages are not errors, they are information and the specifics are important in tracing connectivity issues.

Should give you a start. If not, or if I've missed the whole point, post back. If I'm on the right track but you need more assistance, post back with more information, including the results of the pings and the error messages in question.

 

[montanablue2]

Managed to figure this one out. Realized I didn't have to do split-tunneling. Set the VPN server to route all internet traffic back to our firewall. Our VPN users were still having problems accessing our own company public web servers located on our DMZ (the firewall does not automatically reroute the internet VPN traffic back to the DMZ for this purpose). Had to configure the firewall to bypass IP Spoofing for this purpose so that the users could see and access our company public web servers.....

 

[montanablue2]

Revision to previous fix.... The firewall was actually passing all public internet traffic out to an outside router, which then re-routed all of our personal website traffic back to us. Only problem is, the virtual ip addresses for our websites were not successfully routed back, just the public ip addresses for each individual server. Managed to find a workaround by creating entry in hosts file on local machine to map individual web server ip address to web site name (usually mapped to virtual IP address).....