VPN broadband vs. dial-up - Tilted Forum Project Discussion Community

vanblah · 10-21-2004, 12:10 PM

I have set up a VPN at work using RRAS. So far it works fine with the following exception:

When I dial up (Bellsouth ISP) and establish a connection to the VPN everything works the way it should ... ie. if I go to start->run and type \\servername ... I go to the correct server. If I ping "servername" it resolves to the internal networks IP address. If I drop the VPN connection and ping the "servername" it resolves to the EXTERNAL ip address.

So far so good ...

When I use a broadband connection (Cable or DSL always on NOT PPPoE) and establish a VPN connection it doesn't work the same way. If I go to start->run and type \\servername I get nothing. If I ping "servername" I get nothing. If I ping the FQDN ("servername.company.com") I get the EXTERNAL address whether I have the VPN connected or not.

This is with the same client machine by the way.

I don't think it's really a DNS issue, but rather how M$'s VPN software interprets how the initial ISP connection is established. M$ VPN seems to be tied to the whole "dial-up" concept. I'm assuming it tries the VPN connection first and if the address does not resolve it goes out the internet connection. But there is no real dial-up setting for a broadband connection.

Anybody have any advice? Other than switching to Funk or some other VPN server/client software. I don't have a choice in the matter ... we either use Microsoft or nothing. I am pushing for the VPN in the first place so we can drop FTP and (reverse) Proxy and other things.

bendsley · 10-21-2004, 02:00 PM

Is this going into an ISA server? Have you checked firewall permissions relating to IP addresses that are allowed to come into the VPN?

Microsoft VPN is very crappy. I would really push for a Cisco VPN Concentrator if possible.

vanblah · 10-21-2004, 05:06 PM

Yes, it's going through ISA. The firewall rules are wide open.

The problem is with name-resolution. On dial-up (and on a Mac, and presumably on *nix) everything works fine ... but with XP on broadband (not PPPoE) names don't resolve correctly.

Interestingly, a tracert while connected to the VPN to an internal machine goes into the internal network and then back outside. Almost like the internal network doesn't know what to do with it coming from the VPN.

I agree that Microsoft's VPN client is crappy ... but like I said I don't have a choice in the matter.

bendsley · 10-22-2004, 07:14 AM

Are the settings the same on the Mac and Windows boxes? I'm assuming that both the Dial-Up and Broadband connections are DHCP'ing an IP from the ISP. Maybe something set in the ISA server to allow specific IP address ranges, doubt it though.

Something has to be wrong with your routes if you're leaving after coming inside. Would just sit down with pen and paper and draw them out.

vanblah · 10-22-2004, 07:23 PM

I think I've figured it out. It is a problem with Microsoft's VPN client (on XP) but only when connected to an "always on" broadband connection. We maintain internal and external DNS servers, some of the machine names are the same on both lists so when I request a server that happens to be on both lists my client machine request the external (NATed) IP address.

So it's actually doing exactly what it's supposed to be doing. The problem really is the fact that we have machine names that are the same on both internal and external networks.

On the Mac, all traffic is forced through the VPN and it essentially "forgets" about the external addresses. The same with dial-up and PPPoE.

Does that make sense?

10-21-2004, 12:10 PM	#1 (permalink)
vanblah Junkie	VPN broadband vs. dial-up I have set up a VPN at work using RRAS. So far it works fine with the following exception: When I dial up (Bellsouth ISP) and establish a connection to the VPN everything works the way it should ... ie. if I go to start->run and type \\servername ... I go to the correct server. If I ping "servername" it resolves to the internal networks IP address. If I drop the VPN connection and ping the "servername" it resolves to the EXTERNAL ip address. So far so good ... When I use a broadband connection (Cable or DSL always on NOT PPPoE) and establish a VPN connection it doesn't work the same way. If I go to start->run and type \\servername I get nothing. If I ping "servername" I get nothing. If I ping the FQDN ("servername.company.com") I get the EXTERNAL address whether I have the VPN connected or not. This is with the same client machine by the way. I don't think it's really a DNS issue, but rather how M$'s VPN software interprets how the initial ISP connection is established. M$ VPN seems to be tied to the whole "dial-up" concept. I'm assuming it tries the VPN connection first and if the address does not resolve it goes out the internet connection. But there is no real dial-up setting for a broadband connection. Anybody have any advice? Other than switching to Funk or some other VPN server/client software. I don't have a choice in the matter ... we either use Microsoft or nothing. I am pushing for the VPN in the first place so we can drop FTP and (reverse) Proxy and other things. Last edited by vanblah; 10-21-2004 at 12:54 PM..

10-21-2004, 02:00 PM	#2 (permalink)
bendsley Professional Loafer Location: texas	Is this going into an ISA server? Have you checked firewall permissions relating to IP addresses that are allowed to come into the VPN? Microsoft VPN is very crappy. I would really push for a Cisco VPN Concentrator if possible. __________________ "You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

10-22-2004, 07:14 AM	#4 (permalink)
bendsley Professional Loafer Location: texas	Are the settings the same on the Mac and Windows boxes? I'm assuming that both the Dial-Up and Broadband connections are DHCP'ing an IP from the ISP. Maybe something set in the ISA server to allow specific IP address ranges, doubt it though. Something has to be wrong with your routes if you're leaving after coming inside. Would just sit down with pen and paper and draw them out. __________________ "You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

10-21-2004, 05:06 PM	#3 (permalink)
vanblah Junkie	Yes, it's going through ISA. The firewall rules are wide open. The problem is with name-resolution. On dial-up (and on a Mac, and presumably on *nix) everything works fine ... but with XP on broadband (not PPPoE) names don't resolve correctly. Interestingly, a tracert while connected to the VPN to an internal machine goes into the internal network and then back outside. Almost like the internal network doesn't know what to do with it coming from the VPN. I agree that Microsoft's VPN client is crappy ... but like I said I don't have a choice in the matter.

10-22-2004, 07:23 PM	#5 (permalink)
vanblah Junkie	I think I've figured it out. It is a problem with Microsoft's VPN client (on XP) but only when connected to an "always on" broadband connection. We maintain internal and external DNS servers, some of the machine names are the same on both lists so when I request a server that happens to be on both lists my client machine request the external (NATed) IP address. So it's actually doing exactly what it's supposed to be doing. The problem really is the fact that we have machine names that are the same on both internal and external networks. On the Mac, all traffic is forced through the VPN and it essentially "forgets" about the external addresses. The same with dial-up and PPPoE. Does that make sense?