PPTP & Routing Interesting Traffic
Today I was a client’s corporate office configuring a new Cisco PIX 506 firewall with VPN support. While the PIX supports IPSEC, we decided to use PPTP because client side configuration on Windows 2000/XP is very straight forward and rather simple for a non-technical employee to configure.
After configuring PPTP on the PIX (which is a snap), I configured and tested a Windows XP workstation using a dialup connection. While the test was a success (the tunnel was established and the secure network could be accessed), internet access failed because the PIX won’t/can’t redirect traffic that isn’t on it’s local network (Plug: the Cisco VPN Concentrator can perform this task with ease). A simple fix for this problem would appear to be to modify the Windows VPN connection and disable the use default gateway on remote network option, but now no traffic is getting though the VPN tunnel to the secure network.
The problem here is actually rather simple, since Windows doesn’t know which traffic is interesting (traffic that should be sent through the VPN) it sends everything through default connection - which is typically your ISP. In order to fix this problem, all you need to do is add a route statement that basically says “send all traffic destined for my secure network to my PPTP VPN connection”. Of course adding route statements are easy, but the problem is that PPTP connections don’t always provide the same IP address every time you connect and obviously you don’t want to have to configure this route statement each and every time you use your VPN connection (imagine Salesguy Steve doing this every time!).
So, in order to solve the problem I decided to create a quick and dirty script in vbscript. Now, before I go any further, I must admit that the inspiration for this script came from something that Ryan wrote about three years ago using just a DOS batch file - but for the life of me I can”t find the script. My script basically connects a pre-defined VPN connection within Windows, determines the IP address of the PPTP connection and then create the necessary static route.
'Program: PPTP Route Addition Script 'Version: 1.0 'Author: Joshua R. Cook 'Website: http://www.joshcook.net/ 'Date: 1.13.2005 '*********************** 'Task: Variable Creation 'In Windows, the name of the VPN connection as it is appears in Network Connections VPNConnection = "My Work VPN" 'The username for the VPN connection VPNUsername = "username" 'The password for the VPN connection VPNPassword = "password" 'The IP range that is provided to PPTP clients, without that last octet (this is used for matching purposes) PPTPNetwork = "192.168.1." 'The route command that should be executed, without the gateway ' - route add *network* mask *netmask* RouteCommand = "route add 10.0.0.0 mask 255.255.255.0" '********************************* 'Task: Establish Dialup Connection Set Shell = CreateObject("WScript.Shell") Shell.Run "Rasdial " & VPNConnection & " " & VPNUsername & " " & VPNPassword, 6, True Set Shell = Nothing '********************************* 'Task: Obtain *Correct* IP Address strComputer = "." Set objWMIService = GetObject("winmgmts:" & "!\\\\" & strComputer & "\\root\\cimv2") Set colAdapters = objWMIService.ExecQuery("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled = True") For Each objAdapter In colAdapters If InStr(objAdapter.IPAddress(0), PPTPNetwork) > 0 Then VPNIPAddress = objAdapter.IPAddress(0) Next Set colAdapters = Nothing Set objWMIService = Nothing '************************* 'Task: Add Route Statement Set Shell = CreateObject("WScript.Shell") Shell.Run RouteCommand & " " & VPNIPAddress, 6, True Set Shell = Nothing
Download this code: pptp.vbs
It’s a simple script, but it seems to work perfectly. If you use it please feel free to add a comment to let me know!
Originally written on 01/14/2005
Leave a Reply of Your Own