vpn won't work due to route caching on NT 4.0 sp6a
David Gillett
dgillett at NIKU.COM
Wed Feb 28 20:58:04 EST 2001
Oh yeah -- the other approach is to use docked/undocked hardware profiles,
or install something like Symantec's "Mobile Essentials" which allows you to
select between different network configurations for different locations.
David Gillett
Senior Network Engineer
(650) 701-2702
Niku Corp. "Transforming the Service Economy"
-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of David
Gillett
Sent: Wednesday, February 28, 2001 5:32 PM
To: VPN at SECURITYFOCUS.COM
Subject: Re: vpn won't work due to route caching on NT 4.0 sp6a
We've seen a similar issue, and I think the key is to look at why you need
a static address.
In our case, the laptops that need a static address do not need that
address to be given to anyone else -- they just need a static way to refer
to *themselves*. In this case, making one of the NIC addresses static is
the wrong solution. The "obvious" solution is to use the universal loopback
address of 127.0.0.1, or, in the cases where that doesn't work (I have not
had a chance to investigate and understand these...), install the MS
Loopback Connector, which by default installs at 10.0.0.1. Either of these
allows the NIC addresses to continue to use DHCP.
David Gillett
Senior Network Engineer
(650) 701-2702
Niku Corp. "Transforming the Service Economy"
-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Byron
Kennedy
Sent: Wednesday, February 28, 2001 3:17 PM
To: VPN at SECURITYFOCUS.COM
Subject: FW: vpn won't work due to route caching on NT 4.0 sp6a
I think i remember a discussion thread on a similar topic a month or so ago
and are hoping that someone has some insight on this.
Client hardware with issues:
Dell latitude cpx,csx, NT 4.0 sp 5 or 6a
NIC 1: 3com 3c905c in the Dell dock port (enabled on docked HW profile)
NIC 2: Xircom REALPORT Cardbus 10/100 LAN, 56k modem (enabled on undocked HW
profile)
Here's the issue:
Our vpn setup is designed such that our clients dialup up Earthlink and
connect securely back to our Netscreen firewall via the Netscreen remote
client software (IRE OEM) using IPsec. There's been very few problems over
the past 1.5 years until recently. Traditionally, we've always used DHCP
config for the two network adapters, however recently we've needed to enable
static IP on some of these clients. When we do this, and then go to dialup
(using xircom modem) in "undocked" mode our VPN will fail, you can't ping
internal IP anymore. I've checked the route table on the client and see a
route for our local subnet in there with with a gateway of the Xircom NIC,
of 10.10.0.0 255.255.0.0 10.10.0.254 (ip of internal lan router) 2 (metric),
which is entered from the static IP on the Xircom. There is infact a default
gateway of 0.0.0.0, etc assigned to the DUN gateway passed out by Earthlink.
However, it would seem, given the route statement above that all packets
destined for our internal LAN our routing to the unconnected Xircom LAN
adapter and just get dropped by the stack, instead of heading out over the
DUN connection and over the VPN.
Does anyone have any thoughts on this? I'm hoping there's an explanation and
fix on this. Have no trouble with Windows 2000 clients on this.
thx for ideas.
cheers, byron
Byron Kennedy
Network Administrator
Markettools, Inc.
1 Belvedere Place
www.markettools.com
www.ztelligence.com
www.zoomerang.com
MarketTools is the premier applications services provider of Web-based
corporate solutions including market research and feedback services. The
company helps businesses of all sizes gather the critical information they
need to make key business decisions. MarketTools' research and feedback
applications are the first phase of its global relationship intelligence
network that will link companies with their customers, employees, vendors
and shareholders. MarketTools is a privately held company headquartered in
Mill Valley, CA.
------
You are subscribed as byron at markettools.com
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to leave-mswinnt-33547U at ls.swynk.com
VPN is sponsored by SecurityFocus.COM
VPN is sponsored by SecurityFocus.COM
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list