Re: VPN client routing problem

Skip to first unread message

Robert L [MS-MVP]

Oct 16, 2005, 8:47:30 PM10/16/05
it seems to me that you need 3rd NIC or manually setup routing table as the following case,
One router goes to the corporation email server and another one goes to the ...
Then, you add another router for the Internet access and want to use the ...

Networking, Internet, Routing, VPN Troubleshooting on
How to Setup Windows, Network, VPN & Remote Access on
I have vpn server (Windows 2003 with RRAS) with 2 NICs.
First NIC is connected to LAN and second to internet.
I have also 2 internet connections with 2 routers.
First connection is only for vpn access (connected to public NIC on my VPN
Second connection is used for internet access (http, ftp,...) and it is
connected to my LAN.
Whan I connect to VPN server I have no acces to internet. I don't want to
disable 'use default gateway....' on my vpn client. I don't want also to use
my internet connection on VPN server for internet access.
I would like to set routing for vpn client so they use second router to
access internet.
I know that I can set routing on RRAS, but how to set default gateway only
for vpn clients?


Bill Grant

Oct 16, 2005, 8:58:36 PM10/16/05
I am surprised that your setup works at all. Two internet connections
usually cause all sorts of odd routing problems.

I can't think of any way to get your VPN client to use the LAN router.
For VPN to work, the VPN server's default route must point out to the
internet through the public NIC. For internet access through the other
router to work, its default route would need to be pointing to the LAN
router via the LAN NIC. There is no way to satisfy both of these
requirements at the same time.


Oct 17, 2005, 5:11:04 PM10/17/05
that's right, but maybe exists some kind of software to setup routing based
on source address (vpn clients have ip addresses from private ip pool) ?

Bill Grant

Oct 17, 2005, 8:51:33 PM10/17/05
What source address could you use? How can you know what public IP
address your remote client will connect from? The private address is of no
use. The VPN data is encrypted and encapsulated inside a packet with a
public IP in the header.


Oct 18, 2005, 5:32:17 PM10/18/05
Hi Bill

I know what IP address is assigned to vpn client by vpn server, I don't
need to know what public IP they have. Based on this information I can say
"route packets from IP pool assigned by vpn server to LAN gateway" (this
should be configured on vpn server). Public IP addresses are still routed by
gateway assigned to NIC connected to internet.
It should work, but I haven't tools on Windows to do it.
(Cisco has 'Police based routing' - with this feature you can set routing
based on source address).


Bill Grant

Oct 18, 2005, 7:44:37 PM10/18/05
Then buy a Cisco!


Nov 24, 2005, 11:23:50 PM11/24/05
Hi! I am not an expert on this issue but I would like to give a try on it.
Please don't hesitate to point out if I made an mistake.

Are you using the IPSec VPN client? If yes, the packet will be encrypted and
encapsulated in a packet with destination IP address being the one of the VPN
server. In theory the OS will only know about the packet is sending to the
VPN server (not other internet ip address used in the VPN). Therefore you can
just add a route to the ip address of the VPN server via your preferred
gateway, leaving the default gateway be the one you use to access the


Reply all
Reply to author
0 new messages