vpn won't work due to route caching on NT 4.0 sp6a

Stephen Hope shope at ENERGIS-EIS.CO.UK
Thu Mar 1 05:14:25 EST 2001 

byron

There is 1 very basic attack on this.

Pull the xircom adaptor before you boot for the VPN link - that way NT will
not install the drivers and the routes will not be built.

BTW - we have seen similar issues with win 98, but at least there you can
dynamically stop the PCMCIA adaptor, and kill the routes that way.

Final thought - some DHCP set ups allow you to static allocate an IP in the
DHCP system rather than the PC - that way you have a static IP address, but
the setup is on the DHCP server, and for the dial up it behaves like "real"
DHCP - i think Quadritek IP and Nertel NetID can do something like this, but
i have never tried it in anger.

Stephen

Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
4189


> -----Original Message-----
> From: David Gillett [mailto:dgillett at NIKU.COM]
> Sent: 01 March 2001 01:58
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: vpn won't work due to route caching on NT 4.0 sp6a
>
>
>   Oh yeah -- the other approach is to use docked/undocked
> hardware profiles,
> or install something like Symantec's "Mobile Essentials"
> which allows you to
> select between different network configurations for different
> locations.
>
> David Gillett
> Senior Network Engineer
> (650) 701-2702
> Niku Corp. "Transforming the Service Economy"
>
>
>
> -----Original Message-----
> From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On
> Behalf Of David
> Gillett
> Sent: Wednesday, February 28, 2001 5:32 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: vpn won't work due to route caching on NT 4.0 sp6a
>
>
>   We've seen a similar issue, and I think the key is to look
> at why you need
> a static address.
>   In our case, the laptops that need a static address do not need that
> address to be given to anyone else -- they just need a static
> way to refer
> to *themselves*.  In this case, making one of the NIC
> addresses static is
> the wrong solution.  The "obvious" solution is to use the
> universal loopback
> address of 127.0.0.1, or, in the cases where that doesn't
> work (I have not
> had a chance to investigate and understand these...), install the MS
> Loopback Connector, which by default installs at 10.0.0.1.
> Either of these
> allows the NIC addresses to continue to use DHCP.
>
> David Gillett
> Senior Network Engineer
> (650) 701-2702
> Niku Corp. "Transforming the Service Economy"
>
>
>
> -----Original Message-----
> From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On
> Behalf Of Byron
> Kennedy
> Sent: Wednesday, February 28, 2001 3:17 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: FW: vpn won't work due to route caching on NT 4.0 sp6a
>
>
> I think i remember a discussion thread on a similar topic a
> month or so ago
> and are hoping that someone has some insight on this.
>
> Client hardware with issues:
> Dell latitude cpx,csx, NT 4.0 sp 5 or 6a
> NIC 1: 3com 3c905c in the Dell dock port (enabled on docked
> HW profile)
> NIC 2: Xircom REALPORT Cardbus 10/100 LAN, 56k modem (enabled
> on undocked HW
> profile)
>
> Here's the issue:
> Our vpn setup is designed such that our clients dialup up
> Earthlink and
> connect securely back to our Netscreen firewall via the
> Netscreen remote
> client software (IRE OEM) using IPsec. There's been very few
> problems over
> the past 1.5 years until recently. Traditionally, we've
> always used DHCP
> config for the two network adapters, however recently we've
> needed to enable
> static IP on some of these clients. When we do this, and then
> go to dialup
> (using xircom modem) in "undocked" mode our VPN will fail,
> you can't ping
> internal IP anymore. I've checked the route table on the
> client and see a
> route for our local subnet in there with with a gateway of
> the Xircom NIC,
> of 10.10.0.0 255.255.0.0 10.10.0.254 (ip of internal lan
> router) 2 (metric),
> which is entered from the static IP on the Xircom. There is
> infact a default
> gateway of 0.0.0.0, etc assigned to the DUN gateway passed
> out by Earthlink.
> However, it would seem, given the route statement above that
> all packets
> destined for our internal LAN our routing to the unconnected
> Xircom LAN
> adapter and just get dropped by the stack, instead of heading
> out over the
> DUN connection and over the VPN.
> Does anyone have any thoughts on this? I'm hoping there's an
> explanation and
> fix on this. Have no trouble with Windows 2000 clients on this.
> thx for ideas.
>
> cheers, byron
>
> Byron Kennedy
> Network Administrator
>
> Markettools, Inc.
> 1 Belvedere Place
> www.markettools.com
> www.ztelligence.com
> www.zoomerang.com
> MarketTools is the premier applications services provider of Web-based
> corporate solutions including market research and feedback
> services. The
> company helps businesses of all sizes gather the critical
> information they
> need to make key business decisions. MarketTools' research
> and feedback
> applications are the first phase of its global relationship
> intelligence
> network that will link companies with their customers,
> employees, vendors
> and shareholders. MarketTools is a privately held company
> headquartered in
> Mill Valley, CA.
>
>
> ------
> You are subscribed as byron at markettools.com
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to leave-mswinnt-33547U at ls.swynk.com
>
> VPN is sponsored by SecurityFocus.COM
>
> VPN is sponsored by SecurityFocus.COM
>
> VPN is sponsored by SecurityFocus.COM
>

-----------------------------------------------------------------------------------------------------------

This email is confidential and intended solely for the use of the individual to
whom it is addressed. Any views or opinions presented are solely those of the
author and do not necessarily represent those of Energis Integration Services.
If you are not the intended recipient, be advised that you have received this
email in error and that any use, dissemination, forwarding, printing, or copying
of this email is strictly prohibited.

We have an anti-virus system installed on all our PC's and therefore any files
leaving us via e-mail will have been checked for known viruses.
Energis Integration Services accepts no responsibility once an e-mail
and any attachments leave us.

If you have received this email in error please notify Energis Integration Services Communications
IT department on +44 (0) 1494 476222..
-----------------------------------------------------------------------------------------------------------

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list