Default Netmask on VPN Client

Discussion in 'Cisco' started by Pete Mainwaring, Feb 19, 2004.

  1. We have set up a 1710 router as a VPN server as a test prior to
    installing a proper VPN server later this year. Everything works fine
    except....

    When one of our team was working abroad recently, he was connecting to
    the 1710 from a hotel via their ADSL link using the Cisco VPN client
    (v4.0.2(D)). He could attach to our network fine over the VPN, but
    couldn't access anything over the Internet, even though we have
    split-tunnelling enabled. Further investigation showed that the hotel
    network allocated a 10.x.x.x DHCP address and the ip local pool on our
    1710 also allocated a 10. address. The routes on the PC pointed
    everything on the 10. network (10.0.0.0 255.0.0.0) to the VPN tunnel,
    hence the problem connecting to the hotel network when the VPN tunnel
    was enabled.

    I have done some tests back here and found that the PC creates a route
    with the default netmask pointing to the VPN tunnel for whatever class
    of address is in the ip local pool. (I did not use a 10. address on
    the network that the PC is attached to so that the addition of any
    routes would be easier to see).

    PC Routes before VPN enabled:-

    C:\>route print
    ===========================================================================
    Interface List
    0x1 ........................ MS TCP Loopback interface
    0x2 ...00 09 6b e3 fc de ... Intel(R) PRO/100 VE Network Connection
    - Packet
    Scheduler Miniport
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface
    Metric
    0.0.0.0 0.0.0.0 195.212.6.65 195.212.6.69
    20
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
    1
    195.212.6.64 255.255.255.240 195.212.6.69 195.212.6.69
    20
    195.212.6.69 255.255.255.255 127.0.0.1 127.0.0.1
    20
    195.212.6.255 255.255.255.255 195.212.6.69 195.212.6.69
    20
    224.0.0.0 240.0.0.0 195.212.6.69 195.212.6.69
    20
    255.255.255.255 255.255.255.255 195.212.6.69 195.212.6.69
    1
    Default Gateway: 195.212.6.65
    ===========================================================================
    Persistent Routes:
    None

    PC Routes after VPN enabled:-

    C:\ >route print
    ===========================================================================
    Interface List
    0x1 ......................... MS TCP Loopback interface
    0x2 ...00 09 6b e3 fc de .... Intel(R) PRO/100 VE Network Connection
    - Packet
    Scheduler Miniport
    0xb0004 ...00 05 9a 3c 78 00 ... Cisco Systems VPN Adapter - Packet
    Scheduler
    Miniport
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface
    Metric
    0.0.0.0 0.0.0.0 195.212.6.65 195.212.6.69
    20
    10.0.0.0 255.0.0.0 10.96.55.129 10.96.55.129
    10
    10.96.0.0 255.255.0.0 10.96.55.129 10.96.55.129
    1
    10.96.55.129 255.255.255.255 127.0.0.1 127.0.0.1
    10
    10.255.255.255 255.255.255.255 10.96.55.129 10.96.55.129
    10
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
    1
    195.212.6.64 255.255.255.240 195.212.6.69 195.212.6.69
    20
    195.212.6.67 255.255.255.255 195.212.6.69 195.212.6.69
    1
    195.212.6.69 255.255.255.255 127.0.0.1 127.0.0.1
    20
    195.212.6.255 255.255.255.255 195.212.6.69 195.212.6.69
    20
    207.129.0.0 255.255.0.0 10.96.55.129 10.96.55.129
    1
    224.0.0.0 240.0.0.0 10.96.55.129 10.96.55.129
    10
    224.0.0.0 240.0.0.0 195.212.6.69 195.212.6.69
    20
    255.255.255.255 255.255.255.255 10.96.55.129 10.96.55.129
    1
    255.255.255.255 255.255.255.255 195.212.6.69 195.212.6.69
    1
    Default Gateway: 195.212.6.65
    ===========================================================================
    Persistent Routes:
    None

    The PC was given routes 10.96.0.0 and 207.129.0.0, but also generated
    a route to 10.0.0.0 255.0.0.0 pointing to the VPN tunnel.

    The router config looks like this:-

    ..
    ..
    ..
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local dynpool
    !
    crypto isakmp client configuration group vpn-clientgroup
    key 12345678
    pool dynpool
    acl 111
    !
    crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 1
    set transform-set transform-1
    !
    crypto map dynmap isakmp authorization list vpn-clientgroup
    crypto map dynmap client configuration address respond
    crypto map dynmap 1 ipsec-isakmp dynamic dynmap
    !
    ..
    ..
    ..
    !
    interface Ethernet0
    ip address 195.212.6.67 255.255.255.240
    half-duplex
    crypto map dynmap
    !
    interface FastEthernet0
    ip address 10.96.55.12 255.255.255.0
    speed 100
    half-duplex
    !
    ip local pool dynpool 10.96.55.129 10.96.55.190
    ip default-gateway 195.212.6.65
    ip classless
    ip route 0.0.0.0 0.0.0.0 195.212.6.65
    ip route 10.96.0.0 255.255.0.0 10.96.55.9
    ip route 207.129.0.0 255.255.128.0 10.96.55.9
    no ip http server
    ip pim bidir-enable
    !
    ..
    ..
    ..
    access-list 111 permit ip 207.129.0.0 0.0.255.255 10.96.55.128
    0.0.0.63
    access-list 111 permit ip 10.96.0.0 0.0.255.255 10.96.55.128
    0.0.0.63
    !
    ..
    ..
    ..
    end


    There doesn't seem to be a way of specifying a mask in the ip local
    pool.

    I repeated the test with an ip local pool of 172.31.1.1 172.31.1.10
    and sure enough a route of 172.31.0.0 255.255.0.0 appeared.

    Is there any way of stopping this route with the default mask being
    generated?
    Pete Mainwaring, Feb 19, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Captain

    netmask and access-list?

    Captain, Jul 10, 2003, in forum: Cisco
    Replies:
    1
    Views:
    5,829
    Barry Margolin
    Jul 10, 2003
  2. Walter Roberson

    netmask calculation trick

    Walter Roberson, Jan 31, 2004, in forum: Cisco
    Replies:
    4
    Views:
    5,037
    Walter Roberson
    Feb 2, 2004
  3. AM
    Replies:
    1
    Views:
    901
    Walter Roberson
    Feb 25, 2005
  4. GS
    Replies:
    2
    Views:
    9,295
  5. Replies:
    5
    Views:
    554
    Lutz Donnerhacke
    Nov 6, 2006
Loading...

Share This Page