Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HELP: Need AUTOMATIC custom routing in PPTP VPN connections 1

Status
Not open for further replies.
crenner

crenner

IS-IT--Management
Sep 14, 2006
6
US
I manage IT for a small corporation with several offices and several employees who work from home.

One of my sales staff has a laptop which they use from home, and connects to the office using a Microsoft PPTP VPN connection over her regular broadband internet connection.

For her own sanity, she DOES NOT use the VPN connection as the default gateway. This way, her office traffic goes through the VPN, and all other internet traffic goes through her regular internet connection.

Since no route to the office LAN is automatically created over the VPN, I have given her a batch file to run that will automatically create a route to the office LAN over her VPN via the new IP she was issued on the VPN connection. The batch file figures out which IP is the VPN connection, and sets a custom route for the office subnet through that IP.

The problem:

Her PPTP connection drops frequently. The custom routes are automatically removed each time. Setting a static or persistent route would not work, as the IP address assigned via PPTP varies. I cannot set an automatic "redial", as upon connection, I need the route to be reestablished via the batch file. Microsoft DUN allows scripts to be run for PPP dial-up connections, but apparently not for PPTP.

How do I AUTOMATICALLY create a custom route every time she connects, so I can take advantage of automatic "redial"? My batch file works, but I have no current way of making it automatically execute upon a VPN connection.

More detail:

Her laptop is running Windows XP Professional.

Every time she connects to the office via PPTP, she is assigned an IP such as 192.168.30.2 . The last octet is dynamic, which means it might change every time she reconnects. The office LAN consists of a private Class C subnet like 192.168.40.0/255.255.255.0.

So every time she connects, she has to manually run the batch file I gave her, which reads the routing table (route print), finds the 192.168.30 address, and sets a custom route with the route add command. So in the example above, the batch file would run the following command upon completion:
route add 192.168.40.0 mask 255.255.255.0 192.168.30.2

If she is dropped, and has to reconnect, she might be assigned the address 192.168.30.1 . Then when she runs the batch file again, it will execute:
route add 192.168.40.0 mask 255.255.255.0 192.168.30.1

This example does not reveal my real private IPs or subnets, but the premise is the same.
 
Sort by date Sort by votes
The Microsoft VPN client will add a route to the server side network automatically under certain circumstances. There is no way for the client to determine the network topology on the server side, but if a private IP is assigned to the connection it is assumed that the server side is using the same network address and the appropriate subnet.

Using your example, the client should be adding a route to 192.168.30.0 with a 255.255.255.0 mask via the VPN. This obviously does not help you, as the routed network does not exist on the server side. The easiest solution is to take a block of IPs from the server network and assign them to the VPN connection.
 
Upvote 0 Downvote
You make a valid point. The Microsoft VPN client does automatically create a route for the client, but it is based on the assumed class of the IP address. So, when the Microsoft VPN client connects as 192.168.30.2 (a class C private IP), it autmatically creates a route for 192.168.30.0/255.255.255.0 through 192.168.30.2 .

By the same token, if the VPN client is assigned an address of 10.215.55.36 (a Class A private IP), it automatically creates a route for 10.0.0.0/255.0.0.0 through 10.215.55.36 .

You have stated that "the easiest solution is to take a block of IPs from the server network and assign them to the VPN connection."

Are you suggesting that if my remote network is 192.168.40.0/255.255.255.0, that I have the DHCP server for the office lan only issue IPs from one segment of that network (say 192.168.40.0/255.255.255.128), and have the PPTP server (with its own DHCP) only issue IPs from another segment of the same network (say 192.168.40.128/255.255.255.128)?

Unfortunately, this probably not an option for me. I explain why below.

This article on configuring a PPTP VPN server is helpful. Option 1 on that page is exactly what you are suggesting (I believe), where option 2 is what I am using. I used to be using option 3, but I intentionally changed that, as it was causing me issues when connecting to more than one VPN.

My addresses on my remote network are actually Class A private addresses like 10.215.55.35 . So if I take option 1, and set an address pool like 10.215.55.128, the Microsoft VPN client will assume I want a Class A private subnet, and route ALL 10.0.0.0/255.0.0.0 IPs to the new VPN connection.

This is undesired behavior, and will cause me other problems. I COULD change my private subnet for my LAN to Class C private IPs, but this would take me hours or days to reconfigure all my workstaions, static IPs, DNS servers, etc. I also have some support software I have issued to clients that is dependent on SSH tunnels to fixed IP addresses inside my LAN.

Assigning addresses from my LAN to the PPTP connection is not really an option for me, because of the way the Microsoft VPN client creates routes upon connection (based on the class of the IP assigned), and because changing my LAN subnet would break client solutions.

I still believe I need a scriptable or programmable (and automatic) way to make a Microsoft workstation create custom routes when a VPN connection is successful.

I do have access to many programming tools, so scripts, Windows API calls, and program code are acceptable parts of a solution.

Thank you VERY much for your response. It's got me going over my pptpd configuration with a fine-tooth comb to see if there is a server-side way of handling this.
 
Upvote 0 Downvote
The other, slightly more complicated solution is the Microsoft Connection Manager Administration Kit (CMAK). CMAK will allow you to create "connectiods" that you can distribute to your VPN clients. The connectoids can include advanced feauters such as running a script/program before or after the connection is created and routing table modifications based upon the IP assigned to the connection. The last part should get you fixed up. See and
CMAK is part of adminpak.msi, which comes with Windows server 2000 or 2003. The 2000 version will run on (but does not come with) 2000 Pro, 2003 version will run on (but does not come with) XP Pro. There is a way to get either without the server version, but I haven't done it for a while so I would need to search my notes. If you need instructions on how to get one of these, post back which you have available to you (XP or 2K) and I will dig around a bit.
 
Upvote 0 Downvote
Well, I got curious myself and had to look for somewhere else that I had posted info about adminpak.msi.

You can directly download adminpak.msi for 2003, which will run on XP but not 2000. See
adminpak.msi for 2000 is a bit more difficult. You must download W2K SP4 network version
Begin the installation on a W2K machine. Proceed until after the components have been extracted, but go no farther. Find the folder that the components were extracted to and copy adminpak.msi to another location. Cancel SP4 install (unless you need to do it anyway). The rest of the XP instructions apply for the most part, but the 2K version lacks some of the functionality of the 2K3 version. Both will let you deal with the routing situation.
 
Upvote 0 Downvote
I have thought about this a bit more, and I really don't see any reason this could not be made to work simply by changing the IP addresses assigned to your PPTP connection. No need to change anything on any other device on your network.

Using your example of a 10.215.55.0 network, if traffic for 10.216.55.0 coming across the connection would be a problem, this could very easily be handled with two firewall rules:

iptables -A INPUT -i ppp+ -d 10.215.55.0/24 -j ACCEPT
iptables -A INPUT -i ppp+ -j DROP

These would be inserted early in the ruleset. The first accepts any traffic from the ppp interfaces (the + is a wildcard that matches all) for the 10.215.55 network. All VPN traffic comes in on a ppp interface instead of the eth interface that the VPN connection is made to. The second rule drops all VPN traffic that comes in on the ppp interface.

 
Upvote 0 Downvote
Wow! That's impressive. I cannot believe that you found the installer for the adminpak.msi in the extracted (uninstalled) W2K SP4 network installer. I already had this download, but had never thought to look there! I also was completely unaware of the CMAK!

Thank you very much for the valuable insight.

The firewall example is also a great idea, but may be harder to convey to other administrators of my servers with less networking experience than me.

The client-side solution is definitely what I am looking for. I'm going to get started with the CMAK right away!
 
Upvote 0 Downvote
Wow! That was a lot of work!

You gave me a great starting point with all your links to documentation and resources.

I managed to use the Win2K CMAK (from the Win2K SP4 network install - like you suggested), along with the online documentation for the CMAK (also like you suggested), a lot of really tricky batch file skills, and reg.exe for Windows 2000 from the Windows 2000 Resource Kit Tools (available in \SUPPORT\TOOLS on the Windows 2000 Professional CD-ROM).

It's working, though.

Part of what was tricky was figuring out where the files were being installed for the end-user, and setting the directory accordingly for my batch files to execute. I did this with reg.exe, and the following code (modified from examples on to read the location of the Connection Manager Profiles from the registry, and use it to change the directory to where the installed files exist:
Code: 
@ECHO OFF
:: Set the Profile environmental variable to be the ShortName of the Connection Manager Profile installed
SET Profile=OFFVPN
:: Be careful what text editor you use
:: delims MUST BE a TAB followed by a space
FOR /F "tokens=2* delims=	 " %%A IN ('REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%Profile%" /v UninstallDir') DO SET CmDir=%%B\%Profile%
ECHO.
ECHO Changing Directory to %CmDir% ...
cd %CmDir%
ECHO.

So basically, I had to add the above code to my alredy existing batch file that reads the routing table and sets the custom route. I then put that batch file and its dependencies (including reg.exe) into the list of files to install with my Connection Manager Profile, and set my batch file to execute after a successful connection.

I also had to do a lot of tweaking to the CMS file in the profile, but that is reasonably well documented in the CMAK docs.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sue Adams
  • Locked
  • Question
Setting up a VPN to print documents to work printer in one city from home
Replies
2
Views
282
goombawaho
goombawaho
andyc209
  • Locked
  • Question
VPN Puzzle
Replies
2
Views
336
SamirPD
SamirPD
Motability
  • Locked
  • Question
Cisco PIX 7.x Client VPN Failing
Replies
0
Views
199
Motability
Motability
k3lvin
  • Locked
  • Question
Multiple VPN sessions
Replies
0
Views
182
k3lvin
k3lvin
Destro1924
  • Locked
  • Question
Cisco 877w Access lits/port forwarding issues- Help needed
Replies
0
Views
236
Destro1924
Destro1924

Part and Inventory Search

Sponsor

Back
Top