Persistent route with VPN
Hi I'm reposting this question here as I didn't get any responses on superuser.com. Any answers would be greatly appreciated. In our VPN setup I have to add a route to my routing table like this: route add 1.2.3.0 mask 255.255.255.0 172.16.1.1 -p Our internal addresses 1.2.3.x then use 172.16.1.1 as their gateway and both my local internet and work VPN can work at the same time. However, when I disconnect from VPN and reconnect again, I can't ping our servers even though the connection status is "Connected". When I do route print my previously added route is listed but it doesn't seem to work. So I try to execute that 'route add' command again and as expected, it tells me that "The route addition failed: The object already exists." But - and that's the point - when I now try to ping our servers again, everything works! So every time, I have to execute this route add command that will fail but fix the issue at the same time. Any ideas what I might be doing wrong? My PC is Windows 7 x64, I am Administrator, UAC is enabled and the command prompt is run with elevated privileges. <script type="text/javascript"></script> <script type="text/javascript"></script> <script type="text/javascript"></script> <script type="text/javascript"></script>
March 17th, 2010 1:47pm

Hi, May I know the topology of your network? I suspect it should be: Client----------------router----------------VPN Server 1.2.3.0 172.16.1.1 If not, please let me the exact information about it. In addition, please let me know where you add the route, the client or the VPN Server? If it is the client, I think it is not needed unless you have specific configurations. When the VPN connection is established, a tunnel is built between the VPN Client and the VPN Server, a route entry will be automatically created on the VPN client to the internal network. For more information, please refer to: VPN Tunneling Protocols Hope this helps. Thanks. Nicholas Li - MSFT
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2010 12:42pm

Hi Nicholas, to answer your questions: * I'm not 100% sure what that 172.16.1.1 IP address is - the IP I set as the destination in the VPN Connection Settings dialog is something like 212.**.**.** so I guess 172.16.1.1 can be some internal router address on the side of our VPN server, yes. * Yes I'm having this problem on the client side. * No the routes are not created properly when the VPN connection is established. When I do "route print", I can see no route that would map 1.2.3.x address to the correct gateway so any pings to 1.2.3.x servers fail. * I have to add the route manually and that is as advised by our network admin. Adding a persistent route used to be enough on Win7 32bit - however, after I've reinstalled Win7 and used the x64 edition, although I can still see the permanent route when I do "route print", it doesn't seem to have any effect until I execute the "route add..." command again and see it fail (because the route is already in the list). My point is, after this failure, things start to work again which is beyond my understanding. Regards, Borek <script type="text/javascript"></script> <script type="text/javascript"></script>
March 22nd, 2010 12:11am

I have exactly the same problem, im trying to reach the client side from the server side and doesn't work, until y add the route manually, if i make it persistent doesn't works too, if i add the route again, then i get the "object already exist error" but all begins to work, the problem its that i cant see a way to make it persistent
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2010 9:55pm

I have the same issue. Basically my steps are: Work network consists of multiple networks 192.168.50.0/24 10.50.0.0/16 Windows 7 Client running PPTP VPN to server connected on 192.168.50.0 network Want Windows 7 VPN client to be split tunneled, such that the above two networks go over VPN; all other use normal default gateway When I set up the Windows 7 PPTP client, I uncheck the "use default gateway on remote network". This is the typical "I want a split tunnel VPN" setup. The VPN works, and the split tunnel works. However, it only works for the 192.168.50.0/24 network. I happen to know that 192.168.50.1 is the route for the remote network, and can reach the 10.50/16 networks. If I manually add the route on the client route add 10.50.0.0 mask 255.255.0.0 192.168.50.1 -p It works *ONCE*. If I disconnect the VPN and reconnect again later, even though "route print" shows the Persistent route in the table, the route isn't in the Active Routes list. If I reboot, the network works the FIRST time I run the VPN and only then. I either need to reboot or re-run the "route add 10.50.0.0..." command in order to get this to work. Frustrations: It only works once upon reboot. The "route add" command must be run as an administrator. When "route add" is run to "fix" the problem, it comes up with the "object already exists" error, but it starts working (as mentioned by MikePeralta above) One workaround is to create a batch script that does the route add part without the -p option, then right-click the file and select "Run as Administrator". All of this is frustrating because my users are non-technical. They don't understand "run as administrator" or "ipconfig" or "route print" statements. I need them to be able to fire up the VPN easily and not have to know about routes and such. Anyone else find a good workaround that can make a remote user VPN in and get the correct routes each and every time? I read something about CMAK where we can make pre-tunnel actions (scripts that run while the tunnel is being set up) so maybe that's an option.
June 5th, 2011 8:52pm

I have the same issue. Basically my steps are: Work network consists of multiple networks 192.168.50.0/24 10.50.0.0/16 Windows 7 Client running PPTP VPN to server connected on 192.168.50.0 network Want Windows 7 VPN client to be split tunneled, such that the above two networks go over VPN; all other use normal default gateway When I set up the Windows 7 PPTP client, I uncheck the "use default gateway on remote network". This is the typical "I want a split tunnel VPN" setup. The VPN works, and the split tunnel works. However, it only works for the 192.168.50.0/24 network. I happen to know that 192.168.50.1 is the route for the remote network, and can reach the 10.50/16 networks. If I manually add the route on the client route add 10.50.0.0 mask 255.255.0.0 192.168.50.1 -p It works *ONCE*. If I disconnect the VPN and reconnect again later, even though "route print" shows the Persistent route in the table, the route isn't in the Active Routes list. If I reboot, the network works the FIRST time I run the VPN and only then. I either need to reboot or re-run the "route add 10.50.0.0..." command in order to get this to work. Frustrations: It only works once upon reboot. The "route add" command must be run as an administrator. When "route add" is run to "fix" the problem, it comes up with the "object already exists" error, but it starts working (as mentioned by MikePeralta above) One workaround is to create a batch script that does the route add part without the -p option, then right-click the file and select "Run as Administrator". All of this is frustrating because my users are non-technical. They don't understand "run as administrator" or "ipconfig" or "route print" statements. I need them to be able to fire up the VPN easily and not have to know about routes and such. Anyone else find a good workaround that can make a remote user VPN in and get the correct routes each and every time? I read something about CMAK where we can make pre-tunnel actions (scripts that run while the tunnel is being set up) so maybe that's an option.
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2011 8:52pm

I have the same issue. Basically my steps are: Work network consists of multiple networks 192.168.50.0/24 10.50.0.0/16 Windows 7 Client running PPTP VPN to server connected on 192.168.50.0 network Want Windows 7 VPN client to be split tunneled, such that the above two networks go over VPN; all other use normal default gateway When I set up the Windows 7 PPTP client, I uncheck the "use default gateway on remote network". This is the typical "I want a split tunnel VPN" setup. The VPN works, and the split tunnel works. However, it only works for the 192.168.50.0/24 network. I happen to know that 192.168.50.1 is the route for the remote network, and can reach the 10.50/16 networks. If I manually add the route on the client route add 10.50.0.0 mask 255.255.0.0 192.168.50.1 -p It works *ONCE*. If I disconnect the VPN and reconnect again later, even though "route print" shows the Persistent route in the table, the route isn't in the Active Routes list. If I reboot, the network works the FIRST time I run the VPN and only then. I either need to reboot or re-run the "route add 10.50.0.0..." command in order to get this to work. Frustrations: It only works once upon reboot. The "route add" command must be run as an administrator. When "route add" is run to "fix" the problem, it comes up with the "object already exists" error, but it starts working (as mentioned by MikePeralta above) One workaround is to create a batch script that does the route add part without the -p option, then right-click the file and select "Run as Administrator". All of this is frustrating because my users are non-technical. They don't understand "run as administrator" or "ipconfig" or "route print" statements. I need them to be able to fire up the VPN easily and not have to know about routes and such. Anyone else find a good workaround that can make a remote user VPN in and get the correct routes each and every time? I read something about CMAK where we can make pre-tunnel actions (scripts that run while the tunnel is being set up) so maybe that's an option.
June 5th, 2011 8:52pm

btw, I found my answer, and that's definitely to use the CMAK. I installed it on my SBS 2008 server (right-click on Features in Server manager --> add feature), ran through the wizard and then promptly hit my head on a wall with regards to the routing update file you need to include with it. I documented my answer on another thread http://social.technet.microsoft.com/Forums/en-US/winserverPN/thread/8367979a-a504-4451-928c-290e50a41cb9 In short, CMAK is a tool that lets you bundle up VPN/RRAS settings as well as custom routes into a distributable executable. The user runs the executable and it creates the VPN profile with all the settings you specified. For example, you can have it know ipv4 vs ipv6, custom dns entries, domain suffixes, registration, and you can add/remove routes to support custom split tunneling. Thomas Shinder has a good article about it here: http://www.windowsecurity.com/articles/Windows-Server-2008-Connection-Manager-Administration-Kit.html
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2011 11:46pm

btw, I found my answer, and that's definitely to use the CMAK. I installed it on my SBS 2008 server (right-click on Features in Server manager --> add feature), ran through the wizard and then promptly hit my head on a wall with regards to the routing update file you need to include with it. I documented my answer on another thread http://social.technet.microsoft.com/Forums/en-US/winserverPN/thread/8367979a-a504-4451-928c-290e50a41cb9 In short, CMAK is a tool that lets you bundle up VPN/RRAS settings as well as custom routes into a distributable executable. The user runs the executable and it creates the VPN profile with all the settings you specified. For example, you can have it know ipv4 vs ipv6, custom dns entries, domain suffixes, registration, and you can add/remove routes to support custom split tunneling. Thomas Shinder has a good article about it here: http://www.windowsecurity.com/articles/Windows-Server-2008-Connection-Manager-Administration-Kit.html
June 5th, 2011 11:46pm

btw, I found my answer, and that's definitely to use the CMAK. I installed it on my SBS 2008 server (right-click on Features in Server manager --> add feature), ran through the wizard and then promptly hit my head on a wall with regards to the routing update file you need to include with it. I documented my answer on another thread http://social.technet.microsoft.com/Forums/en-US/winserverPN/thread/8367979a-a504-4451-928c-290e50a41cb9 In short, CMAK is a tool that lets you bundle up VPN/RRAS settings as well as custom routes into a distributable executable. The user runs the executable and it creates the VPN profile with all the settings you specified. For example, you can have it know ipv4 vs ipv6, custom dns entries, domain suffixes, registration, and you can add/remove routes to support custom split tunneling. Thomas Shinder has a good article about it here: http://www.windowsecurity.com/articles/Windows-Server-2008-Connection-Manager-Administration-Kit.html
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2011 11:46pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics