VPN 3005 Configuration Questions

Discussion in 'Cisco' started by Corbin O'Reilly, Sep 25, 2004.

  1. Hello everyone. We currently using a VPN 3005 for PPTP only. Our subnet
    is 10.1.3.x and the VPN 3005's IP is 10.1.3.100. Remote users use the built
    in Windows XP PPTP client to connect to the VPN 3005. The VPN 3005 is setup
    to use our Windows 2000 DHCP server to give out client IP addresses. We are
    also using the VPN 3005's internal database for usernames and passwords.
    Once a client logs in he/she gets an IP on the 10.1.3.x subnet and
    everything works great.
    OK we have now added another subnet to our network, 10.1.2.x. We two
    Cisco 2620 routers (one on 10.1.2.x and one on 10.1.3.x) routing traffic
    between the two. All 10.1.3.x clients can talk to all 10.1.2.x clients and
    vice-versa. All clients can also get out to the internet so everything works
    great.
    Here is where the problem came in. We have always left the box unchecked
    "use default gateway on remote network" in the Windows XP built-in VPN
    client's TCP/IP properties. If it is left unchecked remote clients can
    connect to machines on the 10.1.3.x subnet only, they can not talk to the
    10.1.2.x subnet. If we check the "use default gateway on remote network" it
    works but now all of their traffic including web browsing passes through the
    VPN connection and not their ISP's gateway. I have put a static route in the
    VPN 3005 explaining how to get to 10.1.2.x subnet but it did not help. I
    know that I must be missing something in the configuration. What we simply
    want to do is have remote clients be able to access machines on the 10.1.3.x
    and 10.1.2.x subnets through the VPN connection and all other traffic (like
    web browsing) go through their ISP's gateway. I would appreciate any help.
    Thanks. Corbin.
    Corbin O'Reilly, Sep 25, 2004
    #1
    1. Advertising

  2. Corbin O'Reilly

    PES Guest

    "Corbin O'Reilly" <> wrote in message
    news:VG55d.4124$...
    > Hello everyone. We currently using a VPN 3005 for PPTP only. Our subnet
    > is 10.1.3.x and the VPN 3005's IP is 10.1.3.100. Remote users use the
    > built in Windows XP PPTP client to connect to the VPN 3005. The VPN 3005
    > is setup to use our Windows 2000 DHCP server to give out client IP
    > addresses. We are also using the VPN 3005's internal database for
    > usernames and passwords. Once a client logs in he/she gets an IP on the
    > 10.1.3.x subnet and everything works great.
    > OK we have now added another subnet to our network, 10.1.2.x. We two
    > Cisco 2620 routers (one on 10.1.2.x and one on 10.1.3.x) routing traffic
    > between the two. All 10.1.3.x clients can talk to all 10.1.2.x clients and
    > vice-versa. All clients can also get out to the internet so everything
    > works great.
    > Here is where the problem came in. We have always left the box
    > unchecked "use default gateway on remote network" in the Windows XP
    > built-in VPN client's TCP/IP properties. If it is left unchecked remote
    > clients can connect to machines on the 10.1.3.x subnet only, they can not
    > talk to the 10.1.2.x subnet. If we check the "use default gateway on
    > remote network" it works but now all of their traffic including web
    > browsing passes through the VPN connection and not their ISP's gateway. I
    > have put a static route in the VPN 3005 explaining how to get to 10.1.2.x
    > subnet but it did not help. I know that I must be missing something in the
    > configuration. What we simply want to do is have remote clients be able to
    > access machines on the 10.1.3.x and 10.1.2.x subnets through the VPN
    > connection and all other traffic (like web browsing) go through their
    > ISP's gateway. I would appreciate any help. Thanks. Corbin.
    >
    >

    You cannot accomplish this easily with the pptp client. If you check the
    box,all traffic will make its way through the concentrator. If you don't
    check the box, the routing table in the pc goes basically unmodified. This
    is viewable from the dos prompt by typing "route print". The only
    alternative to forcing all traffic through is modifying the route table on
    the xp client after the connectionction using the route add command. If you
    were using the vpn client, you could control the modification of the route
    table using an access control list. You can get very granular this way.
    PES, Sep 25, 2004
    #2
    1. Advertising

  3. Hi. Thanks for the response. Can the Cisco VPN Client be configured to use
    PPTP? I installed the client earlier but it looks like it only works with
    L2TP/IPSEC connections. I did not see anything in there for PPTP. If I can
    use the Cisco VPN Client for PPTP that would be great. Can you tell me how
    to configure the Cisco VPN Client for a PPTP connection to a VPN 3005?
    Thanks for the help. Corbin.

    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message
    news:415558e9$...
    >
    > "Corbin O'Reilly" <> wrote in message
    > news:VG55d.4124$...
    >> Hello everyone. We currently using a VPN 3005 for PPTP only. Our
    >> subnet is 10.1.3.x and the VPN 3005's IP is 10.1.3.100. Remote users use
    >> the built in Windows XP PPTP client to connect to the VPN 3005. The VPN
    >> 3005 is setup to use our Windows 2000 DHCP server to give out client IP
    >> addresses. We are also using the VPN 3005's internal database for
    >> usernames and passwords. Once a client logs in he/she gets an IP on the
    >> 10.1.3.x subnet and everything works great.
    >> OK we have now added another subnet to our network, 10.1.2.x. We two
    >> Cisco 2620 routers (one on 10.1.2.x and one on 10.1.3.x) routing traffic
    >> between the two. All 10.1.3.x clients can talk to all 10.1.2.x clients
    >> and vice-versa. All clients can also get out to the internet so
    >> everything works great.
    >> Here is where the problem came in. We have always left the box
    >> unchecked "use default gateway on remote network" in the Windows XP
    >> built-in VPN client's TCP/IP properties. If it is left unchecked remote
    >> clients can connect to machines on the 10.1.3.x subnet only, they can not
    >> talk to the 10.1.2.x subnet. If we check the "use default gateway on
    >> remote network" it works but now all of their traffic including web
    >> browsing passes through the VPN connection and not their ISP's gateway. I
    >> have put a static route in the VPN 3005 explaining how to get to 10.1.2.x
    >> subnet but it did not help. I know that I must be missing something in
    >> the configuration. What we simply want to do is have remote clients be
    >> able to access machines on the 10.1.3.x and 10.1.2.x subnets through the
    >> VPN connection and all other traffic (like web browsing) go through their
    >> ISP's gateway. I would appreciate any help. Thanks. Corbin.
    >>
    >>

    > You cannot accomplish this easily with the pptp client. If you check the
    > box,all traffic will make its way through the concentrator. If you don't
    > check the box, the routing table in the pc goes basically unmodified.
    > This is viewable from the dos prompt by typing "route print". The only
    > alternative to forcing all traffic through is modifying the route table on
    > the xp client after the connectionction using the route add command. If
    > you were using the vpn client, you could control the modification of the
    > route table using an access control list. You can get very granular this
    > way.
    >
    Corbin O'Reilly, Sep 25, 2004
    #3
  4. Corbin O'Reilly

    PES Guest

    "Corbin O'Reilly" <> wrote in message
    news:RVd5d.198183$%...
    > Hi. Thanks for the response. Can the Cisco VPN Client be configured to use
    > PPTP? I installed the client earlier but it looks like it only works with
    > L2TP/IPSEC connections. I did not see anything in there for PPTP. If I can
    > use the Cisco VPN Client for PPTP that would be great. Can you tell me how
    > to configure the Cisco VPN Client for a PPTP connection to a VPN 3005?
    > Thanks for the help. Corbin.


    The VPN client will not do pptp. Why do you prefer pptp to IPSec?
    >
    > "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    > message news:415558e9$...
    >>
    >> "Corbin O'Reilly" <> wrote in message
    >> news:VG55d.4124$...
    >>> Hello everyone. We currently using a VPN 3005 for PPTP only. Our
    >>> subnet is 10.1.3.x and the VPN 3005's IP is 10.1.3.100. Remote users use
    >>> the built in Windows XP PPTP client to connect to the VPN 3005. The VPN
    >>> 3005 is setup to use our Windows 2000 DHCP server to give out client IP
    >>> addresses. We are also using the VPN 3005's internal database for
    >>> usernames and passwords. Once a client logs in he/she gets an IP on the
    >>> 10.1.3.x subnet and everything works great.
    >>> OK we have now added another subnet to our network, 10.1.2.x. We two
    >>> Cisco 2620 routers (one on 10.1.2.x and one on 10.1.3.x) routing traffic
    >>> between the two. All 10.1.3.x clients can talk to all 10.1.2.x clients
    >>> and vice-versa. All clients can also get out to the internet so
    >>> everything works great.
    >>> Here is where the problem came in. We have always left the box
    >>> unchecked "use default gateway on remote network" in the Windows XP
    >>> built-in VPN client's TCP/IP properties. If it is left unchecked remote
    >>> clients can connect to machines on the 10.1.3.x subnet only, they can
    >>> not talk to the 10.1.2.x subnet. If we check the "use default gateway on
    >>> remote network" it works but now all of their traffic including web
    >>> browsing passes through the VPN connection and not their ISP's gateway.
    >>> I have put a static route in the VPN 3005 explaining how to get to
    >>> 10.1.2.x subnet but it did not help. I know that I must be missing
    >>> something in the configuration. What we simply want to do is have remote
    >>> clients be able to access machines on the 10.1.3.x and 10.1.2.x subnets
    >>> through the VPN connection and all other traffic (like web browsing) go
    >>> through their ISP's gateway. I would appreciate any help. Thanks.
    >>> Corbin.
    >>>
    >>>

    >> You cannot accomplish this easily with the pptp client. If you check the
    >> box,all traffic will make its way through the concentrator. If you don't
    >> check the box, the routing table in the pc goes basically unmodified.
    >> This is viewable from the dos prompt by typing "route print". The only
    >> alternative to forcing all traffic through is modifying the route table
    >> on the xp client after the connectionction using the route add command.
    >> If you were using the vpn client, you could control the modification of
    >> the route table using an access control list. You can get very granular
    >> this way.
    >>

    >
    >
    PES, Sep 25, 2004
    #4
  5. I would really like to use IPSEC and the Cisco VPN client. PPTP pretty much
    worked right out of the box with the VPN 3005 and it was simple to configure
    so we never setup IPSEC. I looked through my VPN 3005 configuration and got
    really confused about setting up IPSEC. Setting it up looks much more
    complicated than PPTP but that is because I have had no prior experience
    with IPSEC. Like I mentioned before our setup is very simple. People connect
    in from the outside, get authenticated via the VPN 3005's internal user
    database, and get an 10.1.3.x IP from our Windows 2000 DHCP server.Once the
    connection is fully established we want them to have access to the 10.2.1.x
    and 10.1.3.x subnets. If there is a simple way to setup IPSEC on the VPN
    3005 to accomplish what we want I would really appreciate the help. I have
    two questions. 1. If I set this up successfully the VPN 3005 will be able to
    accept both PPTP and IPSEC connections simultaneously, correct? 2. If we use
    the Cisco VPN client with IPSEC would traffic pass through the tunnel faster
    than it does with the Windows PPTP client? Thanks again. Corbin.

    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message
    news:41557f22$...
    >
    > "Corbin O'Reilly" <> wrote in message
    > news:RVd5d.198183$%...
    >> Hi. Thanks for the response. Can the Cisco VPN Client be configured to
    >> use PPTP? I installed the client earlier but it looks like it only works
    >> with L2TP/IPSEC connections. I did not see anything in there for PPTP. If
    >> I can use the Cisco VPN Client for PPTP that would be great. Can you tell
    >> me how to configure the Cisco VPN Client for a PPTP connection to a VPN
    >> 3005? Thanks for the help. Corbin.

    >
    > The VPN client will not do pptp. Why do you prefer pptp to IPSec?
    >>
    >> "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    >> message news:415558e9$...
    >>>
    >>> "Corbin O'Reilly" <> wrote in message
    >>> news:VG55d.4124$...
    >>>> Hello everyone. We currently using a VPN 3005 for PPTP only. Our
    >>>> subnet is 10.1.3.x and the VPN 3005's IP is 10.1.3.100. Remote users
    >>>> use the built in Windows XP PPTP client to connect to the VPN 3005. The
    >>>> VPN 3005 is setup to use our Windows 2000 DHCP server to give out
    >>>> client IP addresses. We are also using the VPN 3005's internal database
    >>>> for usernames and passwords. Once a client logs in he/she gets an IP on
    >>>> the 10.1.3.x subnet and everything works great.
    >>>> OK we have now added another subnet to our network, 10.1.2.x. We two
    >>>> Cisco 2620 routers (one on 10.1.2.x and one on 10.1.3.x) routing
    >>>> traffic between the two. All 10.1.3.x clients can talk to all 10.1.2.x
    >>>> clients and vice-versa. All clients can also get out to the internet so
    >>>> everything works great.
    >>>> Here is where the problem came in. We have always left the box
    >>>> unchecked "use default gateway on remote network" in the Windows XP
    >>>> built-in VPN client's TCP/IP properties. If it is left unchecked remote
    >>>> clients can connect to machines on the 10.1.3.x subnet only, they can
    >>>> not talk to the 10.1.2.x subnet. If we check the "use default gateway
    >>>> on remote network" it works but now all of their traffic including web
    >>>> browsing passes through the VPN connection and not their ISP's gateway.
    >>>> I have put a static route in the VPN 3005 explaining how to get to
    >>>> 10.1.2.x subnet but it did not help. I know that I must be missing
    >>>> something in the configuration. What we simply want to do is have
    >>>> remote clients be able to access machines on the 10.1.3.x and 10.1.2.x
    >>>> subnets through the VPN connection and all other traffic (like web
    >>>> browsing) go through their ISP's gateway. I would appreciate any help.
    >>>> Thanks. Corbin.
    >>>>
    >>>>
    >>> You cannot accomplish this easily with the pptp client. If you check
    >>> the box,all traffic will make its way through the concentrator. If you
    >>> don't check the box, the routing table in the pc goes basically
    >>> unmodified. This is viewable from the dos prompt by typing "route
    >>> print". The only alternative to forcing all traffic through is
    >>> modifying the route table on the xp client after the connectionction
    >>> using the route add command. If you were using the vpn client, you could
    >>> control the modification of the route table using an access control
    >>> list. You can get very granular this way.
    >>>

    >>
    >>

    >
    >
    Corbin O'Reilly, Sep 25, 2004
    #5
  6. Corbin O'Reilly

    PES Guest

    "Corbin O'Reilly" <> wrote in message
    news:vdl5d.199343$%...
    >I would really like to use IPSEC and the Cisco VPN client. PPTP pretty much
    >worked right out of the box with the VPN 3005 and it was simple to
    >configure so we never setup IPSEC. I looked through my VPN 3005
    >configuration and got really confused about setting up IPSEC. Setting it up
    >looks much more complicated than PPTP but that is because I have had no
    >prior experience with IPSEC. Like I mentioned before our setup is very
    >simple. People connect in from the outside, get authenticated via the VPN
    >3005's internal user database, and get an 10.1.3.x IP from our Windows 2000
    >DHCP server.Once the connection is fully established we want them to have
    >access to the 10.2.1.x and 10.1.3.x subnets.


    You could add the route to the 10.2.1.x subnet with a route add statement
    on the clients. You could even likely use the persistant option.

    route add 10.2.1.0 mask 255.255.255.0 10.1.3.a -p

    a=the router's ip on 10.1.3.x that will route to 10.2.1.x

    This would allow the clients direct access to the internet and give them
    connectivity to 10.2.1.x. I will mention that an increasing number of
    security policies explicitly forbid this. This is due to the fact that
    there is no control over the client pc. For all you know, it has no
    firewall and someone could be controlling it remotely (after the pptp
    connection) via back orifice, netbus. Or it could contract an smb based
    worm like blaster. This limitation is not fixed by ipsec. With ipsec vpn
    client, you can push down the route entries and administratively control
    whether or not this happens.

    > If there is a simple way to setup IPSEC on the VPN 3005 to accomplish what
    > we want I would really appreciate the help. I have two questions.


    I have more experience with the pix and router, but the concentrator seems
    very user friendly. I don't think the configuration will be very difficult.

    > 1. If I set this up successfully the VPN 3005 will be able to accept both
    > PPTP and IPSEC connections simultaneously, correct?


    Yes, as far as I know, there are no issues with this.

    > 2. If we use the Cisco VPN client with IPSEC would traffic pass through
    > the tunnel faster than it does with the Windows PPTP client? Thanks again.
    > Corbin.


    The difference in speed is likely negligible either way. If you are
    currently using 40 bit or no encryption on pptp, 3des ipsec would likely be
    a bit slower. In any case, I typically recommend 168bit 3des, unless the
    information being exchanged already has its own encryption.

    >
    > "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    > message news:41557f22$...
    >>
    >> "Corbin O'Reilly" <> wrote in message
    >> news:RVd5d.198183$%...
    >>> Hi. Thanks for the response. Can the Cisco VPN Client be configured to
    >>> use PPTP? I installed the client earlier but it looks like it only works
    >>> with L2TP/IPSEC connections. I did not see anything in there for PPTP.
    >>> If I can use the Cisco VPN Client for PPTP that would be great. Can you
    >>> tell me how to configure the Cisco VPN Client for a PPTP connection to a
    >>> VPN 3005? Thanks for the help. Corbin.

    >>
    >> The VPN client will not do pptp. Why do you prefer pptp to IPSec?
    >>>
    >>> "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    >>> message news:415558e9$...
    >>>>
    >>>> "Corbin O'Reilly" <> wrote in message
    >>>> news:VG55d.4124$...
    >>>>> Hello everyone. We currently using a VPN 3005 for PPTP only. Our
    >>>>> subnet is 10.1.3.x and the VPN 3005's IP is 10.1.3.100. Remote users
    >>>>> use the built in Windows XP PPTP client to connect to the VPN 3005.
    >>>>> The VPN 3005 is setup to use our Windows 2000 DHCP server to give out
    >>>>> client IP addresses. We are also using the VPN 3005's internal
    >>>>> database for usernames and passwords. Once a client logs in he/she
    >>>>> gets an IP on the 10.1.3.x subnet and everything works great.
    >>>>> OK we have now added another subnet to our network, 10.1.2.x. We
    >>>>> two Cisco 2620 routers (one on 10.1.2.x and one on 10.1.3.x) routing
    >>>>> traffic between the two. All 10.1.3.x clients can talk to all 10.1.2.x
    >>>>> clients and vice-versa. All clients can also get out to the internet
    >>>>> so everything works great.
    >>>>> Here is where the problem came in. We have always left the box
    >>>>> unchecked "use default gateway on remote network" in the Windows XP
    >>>>> built-in VPN client's TCP/IP properties. If it is left unchecked
    >>>>> remote clients can connect to machines on the 10.1.3.x subnet only,
    >>>>> they can not talk to the 10.1.2.x subnet. If we check the "use default
    >>>>> gateway on remote network" it works but now all of their traffic
    >>>>> including web browsing passes through the VPN connection and not their
    >>>>> ISP's gateway. I have put a static route in the VPN 3005 explaining
    >>>>> how to get to 10.1.2.x subnet but it did not help. I know that I must
    >>>>> be missing something in the configuration. What we simply want to do
    >>>>> is have remote clients be able to access machines on the 10.1.3.x and
    >>>>> 10.1.2.x subnets through the VPN connection and all other traffic
    >>>>> (like web browsing) go through their ISP's gateway. I would appreciate
    >>>>> any help. Thanks. Corbin.
    >>>>>
    >>>>>
    >>>> You cannot accomplish this easily with the pptp client. If you check
    >>>> the box,all traffic will make its way through the concentrator. If you
    >>>> don't check the box, the routing table in the pc goes basically
    >>>> unmodified. This is viewable from the dos prompt by typing "route
    >>>> print". The only alternative to forcing all traffic through is
    >>>> modifying the route table on the xp client after the connectionction
    >>>> using the route add command. If you were using the vpn client, you
    >>>> could control the modification of the route table using an access
    >>>> control list. You can get very granular this way.
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
    PES, Sep 25, 2004
    #6
  7. Corbin O'Reilly

    PES Guest

    I found this step by step. I didn't have time to read it through and
    through, but it may get you started. http://tinyurl.com/6x2co

    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message
    news:...
    >
    > "Corbin O'Reilly" <> wrote in message
    > news:vdl5d.199343$%...
    >>I would really like to use IPSEC and the Cisco VPN client. PPTP pretty
    >>much worked right out of the box with the VPN 3005 and it was simple to
    >>configure so we never setup IPSEC. I looked through my VPN 3005
    >>configuration and got really confused about setting up IPSEC. Setting it
    >>up looks much more complicated than PPTP but that is because I have had no
    >>prior experience with IPSEC. Like I mentioned before our setup is very
    >>simple. People connect in from the outside, get authenticated via the VPN
    >>3005's internal user database, and get an 10.1.3.x IP from our Windows
    >>2000 DHCP server.Once the connection is fully established we want them to
    >>have access to the 10.2.1.x and 10.1.3.x subnets.

    >
    > You could add the route to the 10.2.1.x subnet with a route add statement
    > on the clients. You could even likely use the persistant option.
    >
    > route add 10.2.1.0 mask 255.255.255.0 10.1.3.a -p
    >
    > a=the router's ip on 10.1.3.x that will route to 10.2.1.x
    >
    > This would allow the clients direct access to the internet and give them
    > connectivity to 10.2.1.x. I will mention that an increasing number of
    > security policies explicitly forbid this. This is due to the fact that
    > there is no control over the client pc. For all you know, it has no
    > firewall and someone could be controlling it remotely (after the pptp
    > connection) via back orifice, netbus. Or it could contract an smb based
    > worm like blaster. This limitation is not fixed by ipsec. With ipsec vpn
    > client, you can push down the route entries and administratively control
    > whether or not this happens.
    >
    >> If there is a simple way to setup IPSEC on the VPN 3005 to accomplish
    >> what we want I would really appreciate the help. I have two questions.

    >
    > I have more experience with the pix and router, but the concentrator seems
    > very user friendly. I don't think the configuration will be very
    > difficult.
    >
    >> 1. If I set this up successfully the VPN 3005 will be able to accept both
    >> PPTP and IPSEC connections simultaneously, correct?

    >
    > Yes, as far as I know, there are no issues with this.
    >
    >> 2. If we use the Cisco VPN client with IPSEC would traffic pass through
    >> the tunnel faster than it does with the Windows PPTP client? Thanks
    >> again. Corbin.

    >
    > The difference in speed is likely negligible either way. If you are
    > currently using 40 bit or no encryption on pptp, 3des ipsec would likely
    > be a bit slower. In any case, I typically recommend 168bit 3des, unless
    > the information being exchanged already has its own encryption.
    >
    >>
    >> "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    >> message news:41557f22$...
    >>>
    >>> "Corbin O'Reilly" <> wrote in message
    >>> news:RVd5d.198183$%...
    >>>> Hi. Thanks for the response. Can the Cisco VPN Client be configured to
    >>>> use PPTP? I installed the client earlier but it looks like it only
    >>>> works with L2TP/IPSEC connections. I did not see anything in there for
    >>>> PPTP. If I can use the Cisco VPN Client for PPTP that would be great.
    >>>> Can you tell me how to configure the Cisco VPN Client for a PPTP
    >>>> connection to a VPN 3005? Thanks for the help. Corbin.
    >>>
    >>> The VPN client will not do pptp. Why do you prefer pptp to IPSec?
    >>>>
    >>>> "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    >>>> message news:415558e9$...
    >>>>>
    >>>>> "Corbin O'Reilly" <> wrote in message
    >>>>> news:VG55d.4124$...
    >>>>>> Hello everyone. We currently using a VPN 3005 for PPTP only. Our
    >>>>>> subnet is 10.1.3.x and the VPN 3005's IP is 10.1.3.100. Remote users
    >>>>>> use the built in Windows XP PPTP client to connect to the VPN 3005.
    >>>>>> The VPN 3005 is setup to use our Windows 2000 DHCP server to give out
    >>>>>> client IP addresses. We are also using the VPN 3005's internal
    >>>>>> database for usernames and passwords. Once a client logs in he/she
    >>>>>> gets an IP on the 10.1.3.x subnet and everything works great.
    >>>>>> OK we have now added another subnet to our network, 10.1.2.x. We
    >>>>>> two Cisco 2620 routers (one on 10.1.2.x and one on 10.1.3.x) routing
    >>>>>> traffic between the two. All 10.1.3.x clients can talk to all
    >>>>>> 10.1.2.x clients and vice-versa. All clients can also get out to the
    >>>>>> internet so everything works great.
    >>>>>> Here is where the problem came in. We have always left the box
    >>>>>> unchecked "use default gateway on remote network" in the Windows XP
    >>>>>> built-in VPN client's TCP/IP properties. If it is left unchecked
    >>>>>> remote clients can connect to machines on the 10.1.3.x subnet only,
    >>>>>> they can not talk to the 10.1.2.x subnet. If we check the "use
    >>>>>> default gateway on remote network" it works but now all of their
    >>>>>> traffic including web browsing passes through the VPN connection and
    >>>>>> not their ISP's gateway. I have put a static route in the VPN 3005
    >>>>>> explaining how to get to 10.1.2.x subnet but it did not help. I know
    >>>>>> that I must be missing something in the configuration. What we simply
    >>>>>> want to do is have remote clients be able to access machines on the
    >>>>>> 10.1.3.x and 10.1.2.x subnets through the VPN connection and all
    >>>>>> other traffic (like web browsing) go through their ISP's gateway. I
    >>>>>> would appreciate any help. Thanks. Corbin.
    >>>>>>
    >>>>>>
    >>>>> You cannot accomplish this easily with the pptp client. If you check
    >>>>> the box,all traffic will make its way through the concentrator. If
    >>>>> you don't check the box, the routing table in the pc goes basically
    >>>>> unmodified. This is viewable from the dos prompt by typing "route
    >>>>> print". The only alternative to forcing all traffic through is
    >>>>> modifying the route table on the xp client after the connectionction
    >>>>> using the route add command. If you were using the vpn client, you
    >>>>> could control the modification of the route table using an access
    >>>>> control list. You can get very granular this way.
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
    PES, Sep 25, 2004
    #7
  8. Thanks PES. I will give it a shot.

    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message
    news:4155e7de$...
    >I found this step by step. I didn't have time to read it through and
    >through, but it may get you started. http://tinyurl.com/6x2co
    >
    > "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    > message news:...
    >>
    >> "Corbin O'Reilly" <> wrote in message
    >> news:vdl5d.199343$%...
    >>>I would really like to use IPSEC and the Cisco VPN client. PPTP pretty
    >>>much worked right out of the box with the VPN 3005 and it was simple to
    >>>configure so we never setup IPSEC. I looked through my VPN 3005
    >>>configuration and got really confused about setting up IPSEC. Setting it
    >>>up looks much more complicated than PPTP but that is because I have had
    >>>no prior experience with IPSEC. Like I mentioned before our setup is very
    >>>simple. People connect in from the outside, get authenticated via the VPN
    >>>3005's internal user database, and get an 10.1.3.x IP from our Windows
    >>>2000 DHCP server.Once the connection is fully established we want them to
    >>>have access to the 10.2.1.x and 10.1.3.x subnets.

    >>
    >> You could add the route to the 10.2.1.x subnet with a route add
    >> statement on the clients. You could even likely use the persistant
    >> option.
    >>
    >> route add 10.2.1.0 mask 255.255.255.0 10.1.3.a -p
    >>
    >> a=the router's ip on 10.1.3.x that will route to 10.2.1.x
    >>
    >> This would allow the clients direct access to the internet and give them
    >> connectivity to 10.2.1.x. I will mention that an increasing number of
    >> security policies explicitly forbid this. This is due to the fact that
    >> there is no control over the client pc. For all you know, it has no
    >> firewall and someone could be controlling it remotely (after the pptp
    >> connection) via back orifice, netbus. Or it could contract an smb based
    >> worm like blaster. This limitation is not fixed by ipsec. With ipsec
    >> vpn client, you can push down the route entries and administratively
    >> control whether or not this happens.
    >>
    >>> If there is a simple way to setup IPSEC on the VPN 3005 to accomplish
    >>> what we want I would really appreciate the help. I have two questions.

    >>
    >> I have more experience with the pix and router, but the concentrator
    >> seems very user friendly. I don't think the configuration will be very
    >> difficult.
    >>
    >>> 1. If I set this up successfully the VPN 3005 will be able to accept
    >>> both PPTP and IPSEC connections simultaneously, correct?

    >>
    >> Yes, as far as I know, there are no issues with this.
    >>
    >>> 2. If we use the Cisco VPN client with IPSEC would traffic pass through
    >>> the tunnel faster than it does with the Windows PPTP client? Thanks
    >>> again. Corbin.

    >>
    >> The difference in speed is likely negligible either way. If you are
    >> currently using 40 bit or no encryption on pptp, 3des ipsec would likely
    >> be a bit slower. In any case, I typically recommend 168bit 3des, unless
    >> the information being exchanged already has its own encryption.
    >>
    >>>
    >>> "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    >>> message news:41557f22$...
    >>>>
    >>>> "Corbin O'Reilly" <> wrote in message
    >>>> news:RVd5d.198183$%...
    >>>>> Hi. Thanks for the response. Can the Cisco VPN Client be configured to
    >>>>> use PPTP? I installed the client earlier but it looks like it only
    >>>>> works with L2TP/IPSEC connections. I did not see anything in there for
    >>>>> PPTP. If I can use the Cisco VPN Client for PPTP that would be great.
    >>>>> Can you tell me how to configure the Cisco VPN Client for a PPTP
    >>>>> connection to a VPN 3005? Thanks for the help. Corbin.
    >>>>
    >>>> The VPN client will not do pptp. Why do you prefer pptp to IPSec?
    >>>>>
    >>>>> "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    >>>>> message news:415558e9$...
    >>>>>>
    >>>>>> "Corbin O'Reilly" <> wrote in message
    >>>>>> news:VG55d.4124$...
    >>>>>>> Hello everyone. We currently using a VPN 3005 for PPTP only. Our
    >>>>>>> subnet is 10.1.3.x and the VPN 3005's IP is 10.1.3.100. Remote users
    >>>>>>> use the built in Windows XP PPTP client to connect to the VPN 3005.
    >>>>>>> The VPN 3005 is setup to use our Windows 2000 DHCP server to give
    >>>>>>> out client IP addresses. We are also using the VPN 3005's internal
    >>>>>>> database for usernames and passwords. Once a client logs in he/she
    >>>>>>> gets an IP on the 10.1.3.x subnet and everything works great.
    >>>>>>> OK we have now added another subnet to our network, 10.1.2.x. We
    >>>>>>> two Cisco 2620 routers (one on 10.1.2.x and one on 10.1.3.x) routing
    >>>>>>> traffic between the two. All 10.1.3.x clients can talk to all
    >>>>>>> 10.1.2.x clients and vice-versa. All clients can also get out to the
    >>>>>>> internet so everything works great.
    >>>>>>> Here is where the problem came in. We have always left the box
    >>>>>>> unchecked "use default gateway on remote network" in the Windows XP
    >>>>>>> built-in VPN client's TCP/IP properties. If it is left unchecked
    >>>>>>> remote clients can connect to machines on the 10.1.3.x subnet only,
    >>>>>>> they can not talk to the 10.1.2.x subnet. If we check the "use
    >>>>>>> default gateway on remote network" it works but now all of their
    >>>>>>> traffic including web browsing passes through the VPN connection and
    >>>>>>> not their ISP's gateway. I have put a static route in the VPN 3005
    >>>>>>> explaining how to get to 10.1.2.x subnet but it did not help. I know
    >>>>>>> that I must be missing something in the configuration. What we
    >>>>>>> simply want to do is have remote clients be able to access machines
    >>>>>>> on the 10.1.3.x and 10.1.2.x subnets through the VPN connection and
    >>>>>>> all other traffic (like web browsing) go through their ISP's
    >>>>>>> gateway. I would appreciate any help. Thanks. Corbin.
    >>>>>>>
    >>>>>>>
    >>>>>> You cannot accomplish this easily with the pptp client. If you check
    >>>>>> the box,all traffic will make its way through the concentrator. If
    >>>>>> you don't check the box, the routing table in the pc goes basically
    >>>>>> unmodified. This is viewable from the dos prompt by typing "route
    >>>>>> print". The only alternative to forcing all traffic through is
    >>>>>> modifying the route table on the xp client after the connectionction
    >>>>>> using the route add command. If you were using the vpn client, you
    >>>>>> could control the modification of the route table using an access
    >>>>>> control list. You can get very granular this way.
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
    Corbin O'Reilly, Sep 29, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Evan Wagner
    Replies:
    2
    Views:
    585
    Evan Wagner
    Apr 6, 2004
  2. Shawn Schubert
    Replies:
    0
    Views:
    765
    Shawn Schubert
    Jul 23, 2004
  3. Engan
    Replies:
    0
    Views:
    434
    Engan
    Nov 10, 2004
  4. Kai
    Replies:
    0
    Views:
    7,623
  5. Replies:
    4
    Views:
    2,027
    Scott Lowe
    Jun 26, 2005
Loading...

Share This Page