Search this Blog

Wednesday, May 12, 2010

How to create Internal routes distributions in Roadwarrior VPN [PPTP]

We have configured in a Cisco 1841 a small VPN concentrator, using PPTP and authenticating users in Active Directory using RADIUS. Everything was simple and works great with the exception of one thing, distributing routes for the internal networks

In Windows Active Directory we configured for our users, (under the Dial In tab the option), routes for the users and added some routes for our internal networks. But they are not distribute to the clients? Should they be distributed? We are little confused with this because in Cisco we configure only the radius server for authentication, we find it strange that the same server will be used to distribute other information to the routing information.

Does anyone has a Roadwarrior vpn scenario similar to this? How did you solve it?

For VPN connections that have only one local network to be accessed through the VPN then under windows just disable the accept default gateway in TCP/IP options and everything works normal.

The real problem was when you access multiple network segments behind your VPN tunnel. You can try the following -

Instead of using in the virtual-template configuration a local pool (peer default ip address pool VPN_POOL) use a DHCP pool: peer default ip address dhcp-pool VPN_ROADWARRIORS

So when you connect now you should receive all the information for your connection from the DHCP pool.

In the DHCP pool add the option 249 ip For more details on RFC click here.

This basically tells your DHCP clients that network has gateway (your VPN gateway local address ) and it then adds a second route to the same gateway for network

The pool should look like this:

dns-server MYDNSSERVER
domain-name MYDOMAIN
option 249 ip
option 121 ip

When a windows users connects it receives the address and in a few seconds (not instantaneously) learns the routes you defined in the DHCP pool, and it should work perfectly! Internet access should remain in your local gateway, and your internal networks should go all the way in the VPN tunnel.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */