Wednesday, May 12, 2010
How to create Internal routes distributions in Roadwarrior VPN [PPTP]
We have configured in a Cisco 1841 a small VPN concentrator, using PPTP and authenticating users in Active Directory using RADIUS. Everything was simple and works great with the exception of one thing, distributing routes for the internal networks
In Windows Active Directory we configured for our users, (under the Dial In tab the option), routes for the users and added some routes for our internal networks. But they are not distribute to the clients? Should they be distributed? We are little confused with this because in Cisco we configure only the radius server for authentication, we find it strange that the same server will be used to distribute other information to the clients...like routing information.
Does anyone has a Roadwarrior vpn scenario similar to this? How did you solve it?
For VPN connections that have only one local network to be accessed through the VPN then under windows just disable the accept default gateway in TCP/IP options and everything works normal.
The real problem was when you access multiple network segments behind your VPN tunnel. You can try the following -
Instead of using in the virtual-template configuration a local pool (peer default ip address pool VPN_POOL) use a DHCP pool: peer default ip address dhcp-pool VPN_ROADWARRIORS
So when you connect now you should receive all the information for your connection from the DHCP pool.
In the DHCP pool add the option 249 ip 220.127.116.11 192.168.252.254 18.104.22.168 192.168.252.254. For more details on RFC click here.
This basically tells your DHCP clients that network 192.168.6.0/24 has gateway 192.168.252.254 (your VPN gateway local address ) and it then adds a second route to the same gateway for network 192.168.2.0/24.
The pool should look like this:
ip dhcp pool VPN_ROADWARRIORS
network 192.168.252.0 255.255.255.0
option 249 ip 22.214.171.124 192.168.252.254 126.96.36.199 192.168.252.254
option 121 ip 188.8.131.52 192.168.252.254 184.108.40.206 192.168.252.254
When a windows users connects it receives the address and in a few seconds (not instantaneously) learns the routes you defined in the DHCP pool, and it should work perfectly! Internet access should remain in your local gateway, and your internal networks should go all the way in the VPN tunnel.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.