CMAK and split tunneling trouble.
Hello!
I have an ISA server in my corporate network and want to make a CMAK based file my customers to connect to our network.
with Windows XP and Server 2003 the are no any problems with split VPN, I've appended a custom route file to CMAK like this:
ADD 192.168.30.0 MASK 255.255.255.0 172.16.11.1 METRIC default IF default
ADD 172.16.0.0 MASK 255.255.0.0 172.16.11.1 METRIC default IF default
REMOVE_GATEWAY
and all fine. traffic to corporate networks goes through ISA (172.16.11.1) and all other traffic goes through client's default gateway.
but then I tried to do so with Win7 box I got an fantastic results with strange error, here is config:
Before VPN
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WIN-NCSFTL8US34
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-E3-5A-46
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 77.221.144.211(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 77.221.144.193
DNS Servers . . . . . . . . . . . : 77.221.145.226
77.221.145.254
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\>route print
===========================================================================
Interface List
11...00 0c 29 e3 5a 46 ......Intel(R) PRO/1000 MT Network Connection
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 77.221.144.193 77.221.144.211 266
77.221.144.192 255.255.255.192 On-link 77.221.144.211 266
77.221.144.211 255.255.255.255 On-link 77.221.144.211 266
77.221.144.255 255.255.255.255 On-link 77.221.144.211 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 77.221.144.211 267
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 77.221.144.211 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 77.221.144.193 Default
===========================================================================
C:\>nslookup google.com
Server: ns3.amstelnet.net
Address: 77.221.145.254
Non-authoritative answer:
Name: google.com
Addresses: 74.125.232.50
74.125.232.51
74.125.232.52
74.125.232.48
74.125.232.49
C:\>ping google.com
Pinging google.com [74.125.232.51] with 32 bytes of data:
Reply from 74.125.232.51: bytes=32 time=14ms TTL=55
Reply from 74.125.232.51: bytes=32 time=14ms TTL=55
Reply from 74.125.232.51: bytes=32 time=14ms TTL=55
Reply from 74.125.232.51: bytes=32 time=14ms TTL=55
Ping statistics for 74.125.232.51:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 14ms, Average = 14ms
C:\>tracert google.com
Tracing route to google.com [74.125.232.51]
over a maximum of 30 hops:
1 2 ms 7 ms 5 ms 77.221.144.193.addr.datapoint.ru [77.221.144.193
]
2 * * * Request timed out.
3 14 ms 14 ms 14 ms 72.14.236.167
4 14 ms 14 ms 14 ms 74.125.232.51
Trace complete.
After VPN connected
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WIN-NCSFTL8US34
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : syndicat.ru
PPP adapter syndicat_network:
Connection-specific DNS Suffix . : syndicat.ru
Description . . . . . . . . . . . : syndicat_network
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.11.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 172.16.0.18
Primary WINS Server . . . . . . . : 172.16.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-E3-5A-46
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 77.221.144.211(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 77.221.144.193
DNS Servers . . . . . . . . . . . : 77.221.145.254
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\>route print
===========================================================================
Interface List
21...........................syndicat_network
11...00 0c 29 e3 5a 46 ......Intel(R) PRO/1000 MT Network Connection
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 77.221.144.193 77.221.144.211 4491
77.221.144.192 255.255.255.192 On-link 77.221.144.211 4491
77.221.144.209 255.255.255.255 On-link 77.221.144.211 4236
77.221.144.211 255.255.255.255 On-link 77.221.144.211 4491
77.221.144.255 255.255.255.255 On-link 77.221.144.211 4491
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
172.16.0.0 255.255.0.0 172.16.11.1 172.16.11.3 28
172.16.11.3 255.255.255.255 On-link 172.16.11.3 266
192.168.30.0 255.255.255.0 172.16.11.1 172.16.11.3 28
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531
224.0.0.0 240.0.0.0 On-link 77.221.144.211 4493
224.0.0.0 240.0.0.0 On-link 172.16.11.3 11
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
255.255.255.255 255.255.255.255 On-link 77.221.144.211 4491
255.255.255.255 255.255.255.255 On-link 172.16.11.3 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 77.221.144.193 Default
===========================================================================
C:\>nslookup google.com
Server: srv-dc3.syndicat.ru
Address: 172.16.0.18
Name: google.com
Addresses: 74.125.232.52
74.125.232.50
74.125.232.51
74.125.232.48
74.125.232.49
C:\>ping google.com
Ping request could not find host google.com. Please check the name and try again.
C:\>tracert google.com
Unable to resolve target system name google.com.
C:\>ping srv-dc3
Pinging srv-dc3.syndicat.ru [172.16.0.18] with 32 bytes of data:
Reply from 172.16.0.18: bytes=32 time=6ms TTL=127
Reply from 172.16.0.18: bytes=32 time<1ms TTL=127
Ping statistics for 172.16.0.18:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 6ms, Average = 3ms
Control-C
^C
C:\>tracert srv-dc3
Tracing route to srv-dc3.syndicat.ru [172.16.0.18]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms SRV-ISA [172.16.11.1]
2 <1 ms <1 ms <1 ms srv-dc3.syndicat.ru [172.16.0.18]
Trace complete.
what's wrong? what a mess with win7 split tunnilng?
how to fix it?
thanks for advice!-=C U=-
July 1st, 2010 2:42pm
any ideas?
-=C U=-
July 5th, 2010 9:21am
and up again-=C U=-
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2010 2:01pm
is it a bug? so let's report it and fix, or it's a new "feature"? so let's us disable it.
it's a mess!
-=C U=-
July 6th, 2010 2:02pm
When is this going to be solved?
Best Regards,
Levente Rog
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2010 3:12pm
I have the same issue. It seems to happen when you configure split-DNS. If you use the VPN connecton as it's default gateway, you don't have this issue.
Boudewijn Plomp, BPMi Infrastructure & Security
February 4th, 2011 6:25am