CMAK configuration and routing table update error
We've been trying to setup a VPN program for our client to connect to our RAS server from home/overseas. Now I've set up a windows server 2008 64-bit server with RAS and NPS configured to allow L2TP connection and certain user groups to it (firewall is configured as well but nothing wrong with its config). So, on another Win Sever 2008 32-bit , we're using the Connection Manager Administration Kit (CMAK) with ver1.4 client to make the VPN program (complete with the routing table update file + appropriate logon/logoff action script) so users don't need to configure it themselves. Client IP address will be given from the static IP pool and also set up the pre-shared key on it as well. At the moment we're focusing on Windows XP sp3 32-bit OS. Problem is, when the user tries to run it, it always came up with an error: [cmdial32] 0:33:03 08 Custom Action Dll ActionType = Connect Actions Description = to update your routing table ActionPath = C:\Documents and Settings\xxx\Application Data\Microsoft\Network\Connections\Cm\TEST\CMROUTE.DLL ReturnValue = 0x800700e8 [cmdial32] 0:33:03 20 On-Error Event ErrorCode = -2147024664 ErrorSource = to update your routing table I tried to google the "800700e8" with no luck at all and I've read too many documentation on how to make the routing table update file. Basically this is what I did (saved under cmroute.txt ): ########## START OF FILE ############ ADD 128.250.14.0 MASK 255.255.255.0 default METRIC default IF default REMOVE_GATEWAY ########### END OF FILE ############ I tried with no extra line as well ... The purpose of that is to avoid directing all the internet traffic from their home to our servers. If I remove the routing update file, it works ok. Please help! (if this is not the right place to ask, please let me know where to post since I can't find anything with networking or VPN sub-category)
August 25th, 2009 11:06am

Andrew, If you have a Win Server 2003, you can create the desired connection manager profile (VPN program) with route table updates, for XP machines using that. If you do not have Win Server 2003, then you can install admin pak in XP and get CMAK in XP machine. Thanks, Ramakrishna.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2009 10:21am

Hi Ramakhrisna, Thanks for your reply. That works. It seems the problem lies with the cmroute.dll file (there's a bug in it). So I tried to create another VPN program using windows server 2008. But this time, after I installed it on the XP client, I manually replace the cmroute.dll file with the one from windows server 2003. And it still works. Any suggestion on how to make it work with VISTA? I encounter 2 issues when I try to do the same thing on vista: - I can't find cmmroute.dll file on C:\ ... maybe I search it wrong? - regardless, I tried to run the program anyway but encounter error 471. I don't remember the exact message for error 471, but maybe something like this: the computer does not support the encryption required another help?
September 8th, 2009 7:55pm

Hi Andrew,For Vista machines, You can create the connection profile as per your requirement (route table updates after successful connection) using CMAK on Win2K8. In CMAK's first wizard, where it asks to select the target operating system, select Vista.
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2009 12:44am

Hi Andrew,For Vista machines, You can create the connection profile as per your requirement (route table updates after successful connection) using CMAK on Win2K8. In CMAK's first wizard, where it asks to select the target operating system, select Vista.
September 10th, 2009 12:44am

I did that but no luck. I encounter 1 problem as I mentioned above: When I ran that vpn program (using L2TP w/ pre-shared key) I got this error: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. (Error 766) For customized troubleshooting information for this connection, click Help. This is what the VPN log (on VISTA business) says: ****************************************************************** Module Name, Time, Log ID, Log Item Name, Other Info For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up ****************************************************************** [cmdial32] 15:28:18 03 Pre-Init Event CallingProcess = C:\Windows\Explorer.EXE [cmdial32] 15:28:28 04 Pre-Connect Event ConnectionType = 1 [cmdial32] 15:28:28 06 Pre-Tunnel Event UserName = inas Domain = lkhv DUNSetting = test Tunnel DeviceName = WAN Miniport (SSTP) TunnelAddress = vpn2.bionicear.org [cmdial32] 15:28:28 21 On-Error Event ErrorCode = 766 ErrorSource = RAS
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2009 12:58am

I did that but no luck. I encounter 1 problem as I mentioned above: When I ran that vpn program (using L2TP w/ pre-shared key) I got this error: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. (Error 766) For customized troubleshooting information for this connection, click Help. This is what the VPN log (on VISTA business) says: ****************************************************************** Module Name, Time, Log ID, Log Item Name, Other Info For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up ****************************************************************** [cmdial32] 15:28:18 03 Pre-Init Event CallingProcess = C:\Windows\Explorer.EXE [cmdial32] 15:28:28 04 Pre-Connect Event ConnectionType = 1 [cmdial32] 15:28:28 06 Pre-Tunnel Event UserName = inas Domain = lkhv DUNSetting = test Tunnel DeviceName = WAN Miniport (SSTP) TunnelAddress = vpn2.bionicear.org [cmdial32] 15:28:28 21 On-Error Event ErrorCode = 766 ErrorSource = RAS
September 11th, 2009 12:58am

Please ignore the post above ... I did something I can't remember and now it allows me to connect. But now I have an error when trying to update the routing table: Connect action to update your routing table failed (8007000b). and this is the VPN log from the vista client: ****************************************************************** Operating System : Windows NT 6.0 Service Pack 1 Dialer Version : 7.2.6001.18000 Connection Name : test All Users/Single User : All Users Start Date/Time : 11/09/2009, 17:33:44 ****************************************************************** Module Name, Time, Log ID, Log Item Name, Other Info For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up ****************************************************************** [cmdial32] 17:33:44 03 Pre-Init Event CallingProcess = C:\Users\Fujitsu\AppData\Local\Temp\IXP000.TMP\cmstp.exe [cmdial32] 17:33:52 04 Pre-Connect Event ConnectionType = 1 [cmdial32] 17:33:52 06 Pre-Tunnel Event UserName = install Domain = medoto DUNSetting = test Tunnel DeviceName = WAN Miniport (SSTP) TunnelAddress = vpn2.bionicear.org [cmdial32] 17:33:56 07 Connect Event [cmdial32] 17:33:57 08 Custom Action Dll ActionType = Connect Actions Description = to update your routing table ActionPath = C:\ProgramData\Microsoft\Network\Connections\Cm\TEST\CMROUTE.DLL ReturnValue = 0x8007000b [cmdial32] 17:33:57 21 On-Error Event ErrorCode = -2147024885 ErrorSource = to update your routing table [cmdial32] 17:33:57 13 Disconnect Event CallingProcess = C:\Windows\system32\cmdial32.dll [cmdial32] 17:33:57 09 Custom Action Exe ActionType = Disconnect Actions Description = Logoff Script ActionPath = C:\ProgramData\Microsoft\Network\Connections\Cm\TEST\LOGOFF.BAT. The program was launched successfully. [cmdial32] 17:34:06 04 Pre-Connect Event ConnectionType = 1 [cmdial32] 17:34:06 06 Pre-Tunnel Event UserName = install Domain = medoto DUNSetting = test Tunnel DeviceName = WAN Miniport (SSTP) TunnelAddress = vpn2.bionicear.org [cmdial32] 17:34:09 07 Connect Event [cmdial32] 17:34:09 08 Custom Action Dll ActionType = Connect Actions Description = to update your routing table ActionPath = C:\ProgramData\Microsoft\Network\Connections\Cm\TEST\CMROUTE.DLL ReturnValue = 0x8007000b [cmdial32] 17:34:09 21 On-Error Event ErrorCode = -2147024885 ErrorSource = to update your routing table [cmdial32] 17:34:09 13 Disconnect Event CallingProcess = C:\Windows\system32\cmdial32.dll [cmdial32] 17:34:09 09 Custom Action Exe ActionType = Disconnect Actions Description = Logoff Script ActionPath = C:\ProgramData\Microsoft\Network\Connections\Cm\TEST\LOGOFF.BAT. The program was launched successfully. I really appreciate your help on this!!!
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2009 3:36am

Please ignore the post above ... I did something I can't remember and now it allows me to connect. But now I have an error when trying to update the routing table: Connect action to update your routing table failed (8007000b). and this is the VPN log from the vista client: ****************************************************************** Operating System : Windows NT 6.0 Service Pack 1 Dialer Version : 7.2.6001.18000 Connection Name : test All Users/Single User : All Users Start Date/Time : 11/09/2009, 17:33:44 ****************************************************************** Module Name, Time, Log ID, Log Item Name, Other Info For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up ****************************************************************** [cmdial32] 17:33:44 03 Pre-Init Event CallingProcess = C:\Users\Fujitsu\AppData\Local\Temp\IXP000.TMP\cmstp.exe [cmdial32] 17:33:52 04 Pre-Connect Event ConnectionType = 1 [cmdial32] 17:33:52 06 Pre-Tunnel Event UserName = install Domain = medoto DUNSetting = test Tunnel DeviceName = WAN Miniport (SSTP) TunnelAddress = vpn2.bionicear.org [cmdial32] 17:33:56 07 Connect Event [cmdial32] 17:33:57 08 Custom Action Dll ActionType = Connect Actions Description = to update your routing table ActionPath = C:\ProgramData\Microsoft\Network\Connections\Cm\TEST\CMROUTE.DLL ReturnValue = 0x8007000b [cmdial32] 17:33:57 21 On-Error Event ErrorCode = -2147024885 ErrorSource = to update your routing table [cmdial32] 17:33:57 13 Disconnect Event CallingProcess = C:\Windows\system32\cmdial32.dll [cmdial32] 17:33:57 09 Custom Action Exe ActionType = Disconnect Actions Description = Logoff Script ActionPath = C:\ProgramData\Microsoft\Network\Connections\Cm\TEST\LOGOFF.BAT. The program was launched successfully. [cmdial32] 17:34:06 04 Pre-Connect Event ConnectionType = 1 [cmdial32] 17:34:06 06 Pre-Tunnel Event UserName = install Domain = medoto DUNSetting = test Tunnel DeviceName = WAN Miniport (SSTP) TunnelAddress = vpn2.bionicear.org [cmdial32] 17:34:09 07 Connect Event [cmdial32] 17:34:09 08 Custom Action Dll ActionType = Connect Actions Description = to update your routing table ActionPath = C:\ProgramData\Microsoft\Network\Connections\Cm\TEST\CMROUTE.DLL ReturnValue = 0x8007000b [cmdial32] 17:34:09 21 On-Error Event ErrorCode = -2147024885 ErrorSource = to update your routing table [cmdial32] 17:34:09 13 Disconnect Event CallingProcess = C:\Windows\system32\cmdial32.dll [cmdial32] 17:34:09 09 Custom Action Exe ActionType = Disconnect Actions Description = Logoff Script ActionPath = C:\ProgramData\Microsoft\Network\Connections\Cm\TEST\LOGOFF.BAT. The program was launched successfully. I really appreciate your help on this!!!
September 11th, 2009 3:36am

Hi Andrew, Can you please re-check the syntax of route table update command in the route table update file included in the connection profile? The error 0x8007000b could be because of incorrect syntax. If you feel it is correct only, then please share the commands with us.
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2009 1:34am

Hi Andrew, Can you please re-check the syntax of route table update command in the route table update file included in the connection profile? The error 0x8007000b could be because of incorrect syntax. If you feel it is correct only, then please share the commands with us.
September 14th, 2009 1:34am

This is the content of my cmroute.txt: ADD 128.250.14.0 MASK 255.255.255.0 default METRIC default IF default REMOVE_GATEWAY This is exactly the same as the one I used for creating the vpn.exe for windows XP on my first post above. Again, if I don't change the routing table it runs fine. I'm tryting to set up a split tunneling: - traffic for office network will go through the VPN connection - any other traffic goes to the default (normal LAN) gateway (thus the REMOVE_GATEWAY entry)
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2009 2:56am

This is the content of my cmroute.txt: ADD 128.250.14.0 MASK 255.255.255.0 default METRIC default IF default REMOVE_GATEWAY This is exactly the same as the one I used for creating the vpn.exe for windows XP on my first post above. Again, if I don't change the routing table it runs fine. I'm tryting to set up a split tunneling: - traffic for office network will go through the VPN connection - any other traffic goes to the default (normal LAN) gateway (thus the REMOVE_GATEWAY entry)
September 14th, 2009 2:56am

Hi Andrew,If your requirement is to set up split tunneling, then did u try the option of unchecking "Make this connection the client's default gateway" in IPv4 tab and IPv6 tab of "Edit VPN entry" dialog of CMAK? (http://technet.microsoft.com/en-us/library/cc732292.aspx)This way, you do not need any special route table update file in your connection profile.If this option is not a feasible solution for your requirement, then can you please elaborate more on your environment?
Free Windows Admin Tool Kit Click here and download it now
September 15th, 2009 2:31am

Hi Andrew,If your requirement is to set up split tunneling, then did u try the option of unchecking "Make this connection the client's default gateway" in IPv4 tab and IPv6 tab of "Edit VPN entry" dialog of CMAK? (http://technet.microsoft.com/en-us/library/cc732292.aspx)This way, you do not need any special route table update file in your connection profile.If this option is not a feasible solution for your requirement, then can you please elaborate more on your environment?
September 15th, 2009 2:31am

Hi again, according to numerous post I've read on the web (can't remember the sites name), to use split tunneling we need to make sure that only the connection to our company's network be routed through the VPN connector on the client. For example, below is the IP information on the company's network and client's pc at home. Office network: 128.250.14.0 / 24 Client's IP: 192.168.0.11 / 24 Client's VPN IP: 128.250.14.245 / 24 --> this is after successfully run the vpn.exe Now, what I need is: All office traffic to 128.250.14.0 goes through 128.250.14.245 interface. All other traffic goes through 192.168.0.11 interface, with the router as the gateway (192.168.0.1). If I don't set the "make this connection the client's default gateway ", that means all traffic (office and other traffic) goes through the 192.168.0.11 interface, right? (I don't know if this makes any sense to you) The above configuration has been set up on our network before I employed here so I'm trying to stick to what we already setup. ... I think I'm confused now. What is the implication if we didn't set the "make this connection the client's default gateway " option?
Free Windows Admin Tool Kit Click here and download it now
September 15th, 2009 8:53pm

Hi again, according to numerous post I've read on the web (can't remember the sites name), to use split tunneling we need to make sure that only the connection to our company's network be routed through the VPN connector on the client. For example, below is the IP information on the company's network and client's pc at home. Office network: 128.250.14.0 / 24 Client's IP: 192.168.0.11 / 24 Client's VPN IP: 128.250.14.245 / 24 --> this is after successfully run the vpn.exe Now, what I need is: All office traffic to 128.250.14.0 goes through 128.250.14.245 interface. All other traffic goes through 192.168.0.11 interface, with the router as the gateway (192.168.0.1). If I don't set the "make this connection the client's default gateway ", that means all traffic (office and other traffic) goes through the 192.168.0.11 interface, right? (I don't know if this makes any sense to you) The above configuration has been set up on our network before I employed here so I'm trying to stick to what we already setup. ... I think I'm confused now. What is the implication if we didn't set the "make this connection the client's default gateway " option?
September 15th, 2009 8:53pm

Hi Andrew,Ifyou don't set "make this connection the client's default gateway " option, then other thanoffice traffic willgoes throughyour192.168.0.11 interface. But,office traffic goes through your VPN IP only.See the output of "route print" on your client's machine before establishing the VPN connection. ---(1)Establish the VPN connection. (Where "make this connection the client's default gateway " option is unset & there is no special route update file)Again See the output of "route print". ---(2)If you compare (1) and (2), you can see that in (2), there is 1 route entry for your office network showing to follow VPN IP interface.So, office traffic with follow VPN IP interface and the other traffic will follow the route as before.
Free Windows Admin Tool Kit Click here and download it now
September 16th, 2009 1:08am

Hi Andrew,Ifyou don't set "make this connection the client's default gateway " option, then other thanoffice traffic willgoes throughyour192.168.0.11 interface. But,office traffic goes through your VPN IP only.See the output of "route print" on your client's machine before establishing the VPN connection. ---(1)Establish the VPN connection. (Where "make this connection the client's default gateway " option is unset & there is no special route update file)Again See the output of "route print". ---(2)If you compare (1) and (2), you can see that in (2), there is 1 route entry for your office network showing to follow VPN IP interface.So, office traffic with follow VPN IP interface and the other traffic will follow the route as before.
September 16th, 2009 1:08am

This is the output of the route print command: Normal route: IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.1 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 On-link 192.168.1.1 281 192.168.1.1 255.255.255.255 On-link 192.168.1.1 281 192.168.1.255 255.255.255.255 On-link 192.168.1.1 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.1 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.1 281 =========================================================================== Persistent Routes: None Connected to VPN: IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.1 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.250.0.0 255.255.0.0 128.250.14.244 128.250.14.249 26 128.250.14.22 255.255.255.255 192.168.1.254 192.168.1.1 26 128.250.14.249 255.255.255.255 On-link 128.250.14.249 281 192.168.1.0 255.255.255.0 On-link 192.168.1.1 281 192.168.1.1 255.255.255.255 On-link 192.168.1.1 281 192.168.1.255 255.255.255.255 On-link 192.168.1.1 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.1 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.1 281 255.255.255.255 255.255.255.255 On-link 128.250.14.249 281 =========================================================================== Persistent Routes: None As you can see above, there are some issues: - traffic to 128.250.0.0 / 16 to go through 128.250.14.249 (VPN interface) , then routed to 128.250.14.244 which is our RAS server. this is not what we want since we only want the network to be 128.250.14.0 / 24 (our network) - the traffic to 128.250.14.22 (RAS server) is explicitly stated to go through 192.168.1.1 (normal interface), which have the same metric as 128.250.0.0 traffic. will that create an issue?
Free Windows Admin Tool Kit Click here and download it now
September 16th, 2009 11:13am

This is the output of the route print command: Normal route: IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.1 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 On-link 192.168.1.1 281 192.168.1.1 255.255.255.255 On-link 192.168.1.1 281 192.168.1.255 255.255.255.255 On-link 192.168.1.1 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.1 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.1 281 =========================================================================== Persistent Routes: None Connected to VPN: IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.1 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.250.0.0 255.255.0.0 128.250.14.244 128.250.14.249 26 128.250.14.22 255.255.255.255 192.168.1.254 192.168.1.1 26 128.250.14.249 255.255.255.255 On-link 128.250.14.249 281 192.168.1.0 255.255.255.0 On-link 192.168.1.1 281 192.168.1.1 255.255.255.255 On-link 192.168.1.1 281 192.168.1.255 255.255.255.255 On-link 192.168.1.1 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.1 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.1 281 255.255.255.255 255.255.255.255 On-link 128.250.14.249 281 =========================================================================== Persistent Routes: None As you can see above, there are some issues: - traffic to 128.250.0.0 / 16 to go through 128.250.14.249 (VPN interface) , then routed to 128.250.14.244 which is our RAS server. this is not what we want since we only want the network to be 128.250.14.0 / 24 (our network) - the traffic to 128.250.14.22 (RAS server) is explicitly stated to go through 192.168.1.1 (normal interface), which have the same metric as 128.250.0.0 traffic. will that create an issue?
September 16th, 2009 11:13am

Hi Andrew,128.x.y.z is class B address. Hence, netmask is 255.255.0.0.So, this approach ("make this connection the client's default gateway " option is unset & there is no special route update file) is not suitable for your environment.So, coming back to the issue where you are getting 0x8007000b error during route update... this could be because of having additional blank lines at the endin your cmroute.txt file. Please remove blank lines at the end if there are any& try out connecting once.
Free Windows Admin Tool Kit Click here and download it now
September 17th, 2009 5:26am

Hi Andrew,128.x.y.z is class B address. Hence, netmask is 255.255.0.0.So, this approach ("make this connection the client's default gateway " option is unset & there is no special route update file) is not suitable for your environment.So, coming back to the issue where you are getting 0x8007000b error during route update... this could be because of having additional blank lines at the endin your cmroute.txt file. Please remove blank lines at the end if there are any& try out connecting once.
September 17th, 2009 5:26am

It's still not working! I tried using no extra row, put extra space on the end of each line, put 2 extra rows ... they didn't make any difference. I don't get it. The same routing update file is exactly the same as the one for windows xp and it works for xp. I found this post: http://www.tech-archive.net/Archive/Win2000/microsoft.public.win2000.ras_routing/2005-09/msg00086.html Maybe there's something that prevent the modification of classful subnet? Or is it one of the "security enhancement" of vista? I tried to connect using both wireless and LAN (not at the same time of course).
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2009 4:19am

It's still not working! I tried using no extra row, put extra space on the end of each line, put 2 extra rows ... they didn't make any difference. I don't get it. The same routing update file is exactly the same as the one for windows xp and it works for xp. I found this post: http://www.tech-archive.net/Archive/Win2000/microsoft.public.win2000.ras_routing/2005-09/msg00086.html Maybe there's something that prevent the modification of classful subnet? Or is it one of the "security enhancement" of vista? I tried to connect using both wireless and LAN (not at the same time of course).
September 21st, 2009 4:19am

Hi Andrew,In Vista, we should not have the combination of'Make this connection the client's default gateway' checked and REMOVE_GATEWAY command in route update file. When 'Make this connection the client's default gateway' is checked, after RAS connection, default routes are disabled on all network interfaces (This isa security enhancement in Vista).And, with REMOVE_GATEWAY command in route update file, default route added to follow the VPN path gets deleted. So, effectively, there is no default route on client's machine. Hence, internet traffic will be affected.But, the error that you are getting (0x8007000b) is not because of the above reason.I configured my RAS server to give out IP addresses (static pool)from 128.250.14.1 to 128.250.14.254 for RAS client machines while establishing RAS connection.Then I created 1 VPN profile using CMAK with the following settings:Uncheck 'Make this connection the client's default gateway' in both IPv4 and IPv6 tabsUse the route updatefile having the entries mentioned below.ADD 128.250.14.0 MASK 255.255.255.0 default METRIC default IF defaultDELETE 128.250.0.0 MASK 255.255.0.0 default METRIC default IF defalutWith this profile after successful RAS connection, client got IP: 128.250.14.8 from RAS server. And,routing table is like:<default route entry is untouched>........128.250.14.0 255.255.255.0 on-link 128.250.14.8 38128.250.14.8 255.255.255.255 on-link 128.250.14.8 276128.250.14.255 255.255.255.255 on-link 128.250.14.8 276223.0.0.10 255.255.255.255 on-link 223.0.0.12 21........Here, default route entry is untouched. So, internet traffic will follow the same old path.Route entry 128.250.14.0/24 got added as specified in the route update file. So, office traffic will follow the VPN path.Route entry 128.250.0.0/16, which RAS adds by default (as 128 is class B address) got deleted with the DELETE command in route update file. So, 128.250.12.0 / 128.250.13.0 traffic does not follow the VPN path.223.0.0.10 is my RAS server's public interface. Can you pleasecreate 1 CMAK profile as mentioned above and check the results in your environment? Ensure that route update file does not contain any extra space at the end of each line and no extra line at the end of the file and it is ANSI encoded.
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2009 6:55am

Hi Andrew,In Vista, we should not have the combination of'Make this connection the client's default gateway' checked and REMOVE_GATEWAY command in route update file. When 'Make this connection the client's default gateway' is checked, after RAS connection, default routes are disabled on all network interfaces (This isa security enhancement in Vista).And, with REMOVE_GATEWAY command in route update file, default route added to follow the VPN path gets deleted. So, effectively, there is no default route on client's machine. Hence, internet traffic will be affected.But, the error that you are getting (0x8007000b) is not because of the above reason.I configured my RAS server to give out IP addresses (static pool)from 128.250.14.1 to 128.250.14.254 for RAS client machines while establishing RAS connection.Then I created 1 VPN profile using CMAK with the following settings:Uncheck 'Make this connection the client's default gateway' in both IPv4 and IPv6 tabsUse the route updatefile having the entries mentioned below.ADD 128.250.14.0 MASK 255.255.255.0 default METRIC default IF defaultDELETE 128.250.0.0 MASK 255.255.0.0 default METRIC default IF defalutWith this profile after successful RAS connection, client got IP: 128.250.14.8 from RAS server. And,routing table is like:<default route entry is untouched>........128.250.14.0 255.255.255.0 on-link 128.250.14.8 38128.250.14.8 255.255.255.255 on-link 128.250.14.8 276128.250.14.255 255.255.255.255 on-link 128.250.14.8 276223.0.0.10 255.255.255.255 on-link 223.0.0.12 21........Here, default route entry is untouched. So, internet traffic will follow the same old path.Route entry 128.250.14.0/24 got added as specified in the route update file. So, office traffic will follow the VPN path.Route entry 128.250.0.0/16, which RAS adds by default (as 128 is class B address) got deleted with the DELETE command in route update file. So, 128.250.12.0 / 128.250.13.0 traffic does not follow the VPN path.223.0.0.10 is my RAS server's public interface. Can you pleasecreate 1 CMAK profile as mentioned above and check the results in your environment? Ensure that route update file does not contain any extra space at the end of each line and no extra line at the end of the file and it is ANSI encoded.
September 22nd, 2009 6:55am

It returns me with the same error again! I did remove the "make this default g/w" option and use the same command (correction, 2nd line says "...defalut") but it still don't want to work. I even tried to swap the order of the route command but no luck. Connect action to update your routing table failed (8007000b) Is there anything I can send you ... the .cms file perhaps? Or if there's a simple route command that I can use to test if it actually can update the routing table?
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2009 11:04am

It returns me with the same error again! I did remove the "make this default g/w" option and use the same command (correction, 2nd line says "...defalut") but it still don't want to work. I even tried to swap the order of the route command but no luck. Connect action to update your routing table failed (8007000b) Is there anything I can send you ... the .cms file perhaps? Or if there's a simple route command that I can use to test if it actually can update the routing table?
September 23rd, 2009 11:04am

after several correspondence via email, the issue has been identified and fixed. The text file that I used for routing table update is using UTF-8, while it needs to be ANSI to work. I don't know how it happened wince the rest of the .txt files I use are all ANSI. For VISTA, I'm using the routing update info as directed by Ramakrishna above: ADD 128.250.14.0 MASK 255.255.255.0 default METRIC default IF default DELETE 128.250.0.0 MASK 255.255.0.0 default METRIC default IF defalut
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2009 12:40am

Hi,Me too configured L2TP_IPSEC vpn using CMAK tool. everything is seems to be ok, but my routing table is updating with local interface as gateway.my local network is : 192.168.9.0/24 and gatway is 192.168.9.1my vpn client ip address : 192.168.111.2my office network should route to vpn interce is 172.16.10.0/24I'm using the routing update info:-ADD 172.16.10.0 MASK 255.255.255.0 default METRIC default IF defaultvpn is established succesfully, if look into route print i saw route 172.16.10.0 255.255.255.0 192.168.9.1 192.168.9.44whic is wrong.. gateway suppose to be VPN interface (192.168.111.2)Pleae help me.regards,Yusef
February 11th, 2010 6:42am

Hi,Me too configured L2TP_IPSEC vpn using CMAK tool. everything is seems to be ok, but my routing table is updating with local interface as gateway.my local network is : 192.168.9.0/24 and gatway is 192.168.9.1my vpn client ip address : 192.168.111.2my office network should route to vpn interce is 172.16.10.0/24I'm using the routing update info:-ADD 172.16.10.0 MASK 255.255.255.0 default METRIC default IF defaultvpn is established succesfully, if look into route print i saw route 172.16.10.0 255.255.255.0 192.168.9.1 192.168.9.44whic is wrong.. gateway suppose to be VPN interface (192.168.111.2)Pleae help me.regards,Yusef
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2010 6:42am

Hi Yusef, Sorry, I never realize that there's another post here. are you still having problem? if yes, run the route print command on cmd and send me the result.
August 4th, 2010 2:11am

Hi Yusef, Sorry, I never realize that there's another post here. are you still having problem? if yes, run the route print command on cmd and send me the result.
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2010 2:11am

For anyone else who searches for this, and has errors specific to Windows 7 (possibly 64-bit-specific as well), I have some additional info. I've been pulling my hair out on this for the past few hours on this. I have several users who use netbooks and need to be able to connect to corporate resources for two networks but use the Internet for everything else. I wanted to easily create a VPN profile for initial setup so they could connect to wifi, 3g card or whatever and then launch a VPN that would just "do the right thing". Of course, the catch in this environment is having more than one network on the vpn that you want tunneled. By default, the windows RAS client will know the one network you're connecting to, but if you have multiple networks, you're in for some fun. I got so frustrated going through the CMAK -> build new profile -> distribute somewhere -> install on a windows 7 client --> get the error --> try again with a different routing file... process over and over again, I ended up using the URL version so I could keep trying different routing files without having to do an entire rebuild. This allowed me to test different iterations of the routing.txt file (or cmroute.txt file - doesn't matter what you name it, as long as it's < 8 characters long) Result? It appears as though the 64-bit windows 7 vpn client has a problem with case sensitivity in the routing update file. This routing.txt file works: ----------------------------------------- REMOVE_GATEWAY add 10.50.30.0 mask 255.255.255.0 default metric default if default ----------------------------------------- This routing.txt file DOES NOT work: ----------------------------------------- REMOVE_GATEWAY ADD 10.50.30.0 MASK 255.255.255.0 default METRIC default IF default ----------------------------------------- The ONLY difference between these two files is the upper/lower case of the add/mask/metric/if portions. Other things to keep in mind: Keep the routing text file you use to less than 8 characters. Other people have reported issues where the long filename (ie, myroutingfile.txt) gets put into the .cms file but the file that gets copied is converted to 8.3 format (ie myrout~1.txt). I saw this described at http://www.geeksandguitars.com/post/2010/08/19/CMAK-and-Routing-Table-error-80070002.aspx The lack of documentation is really amazing. Some people say "REMOVE_GATEWAY" does one thing; and others say another thing. In my example, I wanted clients to have a split tunnel such that the remote network from the vpn server was honored, one other network (the 10.50.30.0/24 example above) was tunneled and every other network went out the normal default gateway (ie, straight to the internet and not tunneled). So, my profile had the option for "use default gateway on remote network" UNCHECKED, *and* I used REMOVE_GATEWAY. That was the only way I could get what I wanted to work correctly The error I'd get spit out by the vpn client changed a lot. I'm including them here for googling: sometimes it was 80070057, sometimes it was 8007000b sometimes it was 80070002, and a couple of times it was 80071392. That last one was particularly frustrating because the only hits had to do with instant messaging! As already mentioned above by p.andrew, the txt file used for routing updates needs to be ANSI. If you're wondering how to make an ANSI text file, if you used notepad, chances are it's ANSI. If you want to double check, do file-> save as, and it has a dropdown box where you can specify ANSI, unicode or other formats for your file. For my URL-retrieved file, I saved the file using vi/vim onto a Linux box and didn't have any issues. I also saw "termination reason 631" in the event viewer a few times, with event id 20226 for rasclient. However, that doesn't appear to be documented anywhere, only 8xx codes for 20226/rasclient. Hope this helps! Wayne
June 5th, 2011 11:11pm

For anyone else who searches for this, and has errors specific to Windows 7 (possibly 64-bit-specific as well), I have some additional info. I've been pulling my hair out on this for the past few hours on this. I have several users who use netbooks and need to be able to connect to corporate resources for two networks but use the Internet for everything else. I wanted to easily create a VPN profile for initial setup so they could connect to wifi, 3g card or whatever and then launch a VPN that would just "do the right thing". Of course, the catch in this environment is having more than one network on the vpn that you want tunneled. By default, the windows RAS client will know the one network you're connecting to, but if you have multiple networks, you're in for some fun. I got so frustrated going through the CMAK -> build new profile -> distribute somewhere -> install on a windows 7 client --> get the error --> try again with a different routing file... process over and over again, I ended up using the URL version so I could keep trying different routing files without having to do an entire rebuild. This allowed me to test different iterations of the routing.txt file (or cmroute.txt file - doesn't matter what you name it, as long as it's < 8 characters long) Result? It appears as though the 64-bit windows 7 vpn client has a problem with case sensitivity in the routing update file. This routing.txt file works: ----------------------------------------- REMOVE_GATEWAY add 10.50.30.0 mask 255.255.255.0 default metric default if default ----------------------------------------- This routing.txt file DOES NOT work: ----------------------------------------- REMOVE_GATEWAY ADD 10.50.30.0 MASK 255.255.255.0 default METRIC default IF default ----------------------------------------- The ONLY difference between these two files is the upper/lower case of the add/mask/metric/if portions. Other things to keep in mind: Keep the routing text file you use to less than 8 characters. Other people have reported issues where the long filename (ie, myroutingfile.txt) gets put into the .cms file but the file that gets copied is converted to 8.3 format (ie myrout~1.txt). I saw this described at http://www.geeksandguitars.com/post/2010/08/19/CMAK-and-Routing-Table-error-80070002.aspx The lack of documentation is really amazing. Some people say "REMOVE_GATEWAY" does one thing; and others say another thing. In my example, I wanted clients to have a split tunnel such that the remote network from the vpn server was honored, one other network (the 10.50.30.0/24 example above) was tunneled and every other network went out the normal default gateway (ie, straight to the internet and not tunneled). So, my profile had the option for "use default gateway on remote network" UNCHECKED, *and* I used REMOVE_GATEWAY. That was the only way I could get what I wanted to work correctly The error I'd get spit out by the vpn client changed a lot. I'm including them here for googling: sometimes it was 80070057, sometimes it was 8007000b sometimes it was 80070002, and a couple of times it was 80071392. That last one was particularly frustrating because the only hits had to do with instant messaging! As already mentioned above by p.andrew, the txt file used for routing updates needs to be ANSI. If you're wondering how to make an ANSI text file, if you used notepad, chances are it's ANSI. If you want to double check, do file-> save as, and it has a dropdown box where you can specify ANSI, unicode or other formats for your file. For my URL-retrieved file, I saved the file using vi/vim onto a Linux box and didn't have any issues. I also saw "termination reason 631" in the event viewer a few times, with event id 20226 for rasclient. However, that doesn't appear to be documented anywhere, only 8xx codes for 20226/rasclient. Hope this helps! Wayne
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2011 11:11pm

For anyone else who searches for this, and has errors specific to Windows 7 (possibly 64-bit-specific as well), I have some additional info. I've been pulling my hair out on this for the past few hours on this. I have several users who use netbooks and need to be able to connect to corporate resources for two networks but use the Internet for everything else. I wanted to easily create a VPN profile for initial setup so they could connect to wifi, 3g card or whatever and then launch a VPN that would just "do the right thing". Of course, the catch in this environment is having more than one network on the vpn that you want tunneled. By default, the windows RAS client will know the one network you're connecting to, but if you have multiple networks, you're in for some fun. I got so frustrated going through the CMAK -> build new profile -> distribute somewhere -> install on a windows 7 client --> get the error --> try again with a different routing file... process over and over again, I ended up using the URL version so I could keep trying different routing files without having to do an entire rebuild. This allowed me to test different iterations of the routing.txt file (or cmroute.txt file - doesn't matter what you name it, as long as it's < 8 characters long) Result? It appears as though the 64-bit windows 7 vpn client has a problem with case sensitivity in the routing update file. This routing.txt file works: ----------------------------------------- REMOVE_GATEWAY add 10.50.30.0 mask 255.255.255.0 default metric default if default ----------------------------------------- This routing.txt file DOES NOT work: ----------------------------------------- REMOVE_GATEWAY ADD 10.50.30.0 MASK 255.255.255.0 default METRIC default IF default ----------------------------------------- The ONLY difference between these two files is the upper/lower case of the add/mask/metric/if portions. Other things to keep in mind: Keep the routing text file you use to less than 8 characters. Other people have reported issues where the long filename (ie, myroutingfile.txt) gets put into the .cms file but the file that gets copied is converted to 8.3 format (ie myrout~1.txt). I saw this described at http://www.geeksandguitars.com/post/2010/08/19/CMAK-and-Routing-Table-error-80070002.aspx The lack of documentation is really amazing. Some people say "REMOVE_GATEWAY" does one thing; and others say another thing. In my example, I wanted clients to have a split tunnel such that the remote network from the vpn server was honored, one other network (the 10.50.30.0/24 example above) was tunneled and every other network went out the normal default gateway (ie, straight to the internet and not tunneled). So, my profile had the option for "use default gateway on remote network" UNCHECKED, *and* I used REMOVE_GATEWAY. That was the only way I could get what I wanted to work correctly The error I'd get spit out by the vpn client changed a lot. I'm including them here for googling: sometimes it was 80070057, sometimes it was 8007000b sometimes it was 80070002, and a couple of times it was 80071392. That last one was particularly frustrating because the only hits had to do with instant messaging! As already mentioned above by p.andrew, the txt file used for routing updates needs to be ANSI. If you're wondering how to make an ANSI text file, if you used notepad, chances are it's ANSI. If you want to double check, do file-> save as, and it has a dropdown box where you can specify ANSI, unicode or other formats for your file. For my URL-retrieved file, I saved the file using vi/vim onto a Linux box and didn't have any issues. I also saw "termination reason 631" in the event viewer a few times, with event id 20226 for rasclient. However, that doesn't appear to be documented anywhere, only 8xx codes for 20226/rasclient. Hope this helps! Wayne Can you post your .cms file and routing file? I'm trying to make split VPN as you described - and still 80071392 or no default route (not my internal networks) to Internet. -=C U=-
October 3rd, 2011 8:49am

For anyone else who searches for this, and has errors specific to Windows 7 (possibly 64-bit-specific as well), I have some additional info. I've been pulling my hair out on this for the past few hours on this. I have several users who use netbooks and need to be able to connect to corporate resources for two networks but use the Internet for everything else. I wanted to easily create a VPN profile for initial setup so they could connect to wifi, 3g card or whatever and then launch a VPN that would just "do the right thing". Of course, the catch in this environment is having more than one network on the vpn that you want tunneled. By default, the windows RAS client will know the one network you're connecting to, but if you have multiple networks, you're in for some fun. I got so frustrated going through the CMAK -> build new profile -> distribute somewhere -> install on a windows 7 client --> get the error --> try again with a different routing file... process over and over again, I ended up using the URL version so I could keep trying different routing files without having to do an entire rebuild. This allowed me to test different iterations of the routing.txt file (or cmroute.txt file - doesn't matter what you name it, as long as it's < 8 characters long) Result? It appears as though the 64-bit windows 7 vpn client has a problem with case sensitivity in the routing update file. This routing.txt file works: ----------------------------------------- REMOVE_GATEWAY add 10.50.30.0 mask 255.255.255.0 default metric default if default ----------------------------------------- This routing.txt file DOES NOT work: ----------------------------------------- REMOVE_GATEWAY ADD 10.50.30.0 MASK 255.255.255.0 default METRIC default IF default ----------------------------------------- The ONLY difference between these two files is the upper/lower case of the add/mask/metric/if portions. Other things to keep in mind: Keep the routing text file you use to less than 8 characters. Other people have reported issues where the long filename (ie, myroutingfile.txt) gets put into the .cms file but the file that gets copied is converted to 8.3 format (ie myrout~1.txt). I saw this described at http://www.geeksandguitars.com/post/2010/08/19/CMAK-and-Routing-Table-error-80070002.aspx The lack of documentation is really amazing. Some people say "REMOVE_GATEWAY" does one thing; and others say another thing. In my example, I wanted clients to have a split tunnel such that the remote network from the vpn server was honored, one other network (the 10.50.30.0/24 example above) was tunneled and every other network went out the normal default gateway (ie, straight to the internet and not tunneled). So, my profile had the option for "use default gateway on remote network" UNCHECKED, *and* I used REMOVE_GATEWAY. That was the only way I could get what I wanted to work correctly The error I'd get spit out by the vpn client changed a lot. I'm including them here for googling: sometimes it was 80070057, sometimes it was 8007000b sometimes it was 80070002, and a couple of times it was 80071392. That last one was particularly frustrating because the only hits had to do with instant messaging! As already mentioned above by p.andrew, the txt file used for routing updates needs to be ANSI. If you're wondering how to make an ANSI text file, if you used notepad, chances are it's ANSI. If you want to double check, do file-> save as, and it has a dropdown box where you can specify ANSI, unicode or other formats for your file. For my URL-retrieved file, I saved the file using vi/vim onto a Linux box and didn't have any issues. I also saw "termination reason 631" in the event viewer a few times, with event id 20226 for rasclient. However, that doesn't appear to be documented anywhere, only 8xx codes for 20226/rasclient. Hope this helps! Wayne Can you post your .cms file and routing file? I'm trying to make split VPN as you described - and still 80071392 or no default route (not my internal networks) to Internet. -=C U=-
Free Windows Admin Tool Kit Click here and download it now
October 3rd, 2011 8:49am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics