Re: seeing outside corporate network when on VPN
- From: Jeff Liebermann <jeffl@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 31 Jan 2008 03:36:21 GMT
On Thu, 31 Jan 2008 02:08:27 +0000 (UTC), dold@xxxxxxxxxxxxxxxx wrote:
I changed my mind. If your client is allowed to "ignore" settings that
are said to be "mandatory", that is the broken part.
Well, there's nothing broken about being able to change the settings.
The SecureNet clients that I'm familiar with allow this within the
client configuration. Lots of options and config variations to get
lost in. I find myself doing all too much trial and error before I
get it right. However, once it's set and saves, I can mark the saved
file as "non-editable" which means no more tweaking allowed.
The big question is what does the IT department distribute.
Presumeably, it's the non-tweakable configuration the enforces the IT
departments edicts and does not allow routing changes. However, if
they're clueless, they could just as easily have distributed a saved
version that allows changes.
But could a client
like that connect to my VPN server?
Probably. Many IPSec clients are made to be fairly universal and will
connect to just about anything. However, some are really simplistic
and offer a limited number of compatible VPN servers.
Note that the default gateway on the remote system is blank, which
means that the default gateway is the local system. Trying traceroute
again:
Now that I have a split tunnel, my gateway is blank, leaving it up to
my local routing to decide where to route packets. I see that there are a
lot of entries in my route /print. I can't do anything to my routing, or
the VPN aborts with a complaint that routing can't be adjusted while the
VPN is active. If I set a persistent route before I start the VPN, I can
save some local access, like my cable modem at 192.168.100.1, but that
didn't work when I had mandatory tunneling.
Oops. I guess I'm half wrong. Leaving the default gateway blank
allows local routing, but if the VPN stack checks for and prevents
changes, then it's not going to happen. That kinda makes sense
because the IT department does not know the IP address of your local
router and therefore would not normally configure it into their VPN
configuration.
When I had mandatory tunneling, my VPN gateway was my address on the VPN.
Yeah. That sends literally everything through the VPN. That drives
me nuts when I have a local network printer, that magically becomes
inaccessible when the VPN is running. Depending on the VPN client, I
can sometimes setup a static route to the printer. More often, I'm
stuck with setting up a USB or parallel connection so the customer can
print.
original poster should have been able to surf the net with the
configuration he posted. Something is not quite right here.
Like the model numbers and revision levels for hardware, it might be
helpful to know what products he is trying to use.
Hey... that's my line. Copyright pending on my accompanying insults
and insulting remarks.
In any properly set up
enterprise solution, I wouldn't expect the end user to be able to tamper
with things that the enterprise wanted to keep set.
Neither would I, but how does one accomidate creative home network
installations, such as my network printing problem? The easiest
solution is to use a hardware product with a dedicated VPN port. I'm
seeing more and more SSL VPN's, which are MUCH easier to setup and
configure, and don't have routing issues.
If I connected to a hotspot somewhere, I always connected the tunneled VPN
as soon as possible.
I have a VPN tunnel setup to my home and office networks. Nothing
fancy, just PPTP. However, I just use those for email and document
transfers. For moving files, I use WinSCP:
<http://winscp.net/eng/>
through an SSH tunnel. Works with most (not all) of the ISP's I deal
with. However, for general web browsing, I rely on SSL for commerce
security and don't care for the other stuff. VPN and SSL tunnels are
just too slow for general browsing. Besides, I don't need security
for downloading driver updates and such.
Incidentally, consider yourself at fault for ruining my evening. I
decided it was time to renumber the IP's in the office. That involved
changing the IP's of the router and my main server. Trying to
remember how to set the default route in SCO Unix 3.2v4.2 was no fun.
Then the printers crapped out and I had to reset their default route.
Now, SNMP is complaining, my syslog junk is going to the wrong server,
inside DNS is a mess, and I'm getting hungry. Before I can fix any of
the damage, I need a suitable culprit and you're it. Please note that
being blamed is actually an honor and that it is not necessary to
thank me.
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@xxxxxxxxxxxxxxxxxxxxxx
# http://802.11junk.com jeffl@xxxxxxxxxx
# http://www.LearnByDestroying.com AE6KS
.
- Follow-Ups:
- References:
- seeing outside corporate network when on VPN
- From: wbsurfver@xxxxxxxxx
- Re: seeing outside corporate network when on VPN
- From: Jeff Liebermann
- Re: seeing outside corporate network when on VPN
- From: dold
- Re: seeing outside corporate network when on VPN
- From: Jeff Liebermann
- Re: seeing outside corporate network when on VPN
- From: dold
- Re: seeing outside corporate network when on VPN
- From: Jeff Liebermann
- Re: seeing outside corporate network when on VPN
- From: dold
- seeing outside corporate network when on VPN
- Prev by Date: Re: seeing outside corporate network when on VPN
- Next by Date: DD-WRT v23SP2 joy but no light.
- Previous by thread: Re: seeing outside corporate network when on VPN
- Next by thread: Re: seeing outside corporate network when on VPN
- Index(es):
Relevant Pages
|
Loading
