25 Jul
Today I was a client’s corporate office configuring a new Cisco PIX 506 firewall with VPN support. While the PIX supports IPSEC, we decided to use PPTP because client side configuration on Windows 2000/XP is very straight forward and rather simple for a non-technical employee to configure.
After configuring PPTP on the PIX (which is a snap), I configured and tested a Windows XP workstation using a dialup connection. While the test was a success (the tunnel was established and the secure network could be accessed), internet access failed because the PIX won’t/can’t redirect traffic that isn’t on it’s local network (Plug: the Cisco VPN Concentrator can perform this task with ease). A simple fix for this problem would appear to be to modify the Windows VPN connection and disable the use default gateway on remote network option, but now no traffic is getting though the VPN tunnel to the secure network.
The problem here is actually rather simple, since Windows doesn’t know which traffic is interesting (traffic that should be sent through the VPN) it sends everything through default connection – which is typically your ISP. In order to fix this problem, all you need to do is add a route statement that basically says “send all traffic destined for my secure network to my PPTP VPN connection”. Of course adding route statements are easy, but the problem is that PPTP connections don’t always provide the same IP address every time you connect and obviously you don’t want to have to configure this route statement each and every time you use your VPN connection (imagine Salesguy Steve doing this every time!).
So, in order to solve the problem I decided to create a quick and dirty script in vbscript. Now, before I go any further, I must admit that the inspiration for this script came from something that Ryan wrote about three years ago using just a DOS batch file – but for the life of me I can”t find the script. My script basically connects a pre-defined VPN connection within Windows, determines the IP address of the PPTP connection and then create the necessary static route.
'Program: PPTP Route Addition Script 'Version: 1.0 'Author: Joshua R. Cook 'Website: http://www.joshcook.net/ 'Date: 1.13.2005 '*********************** 'Task: Variable Creation 'In Windows, the name of the VPN connection as it is appears in Network Connections VPNConnection = "My Work VPN" 'The username for the VPN connection VPNUsername = "username" 'The password for the VPN connection VPNPassword = "password" 'The IP range that is provided to PPTP clients, without that last octet (this is used for matching purposes) PPTPNetwork = "192.168.1." 'The route command that should be executed, without the gateway ' - route add *network* mask *netmask* RouteCommand = "route add 10.0.0.0 mask 255.255.255.0" '********************************* 'Task: Establish Dialup Connection Set Shell = CreateObject("WScript.Shell") Shell.Run "Rasdial " & VPNConnection & " " & VPNUsername & " " & VPNPassword, 6, True Set Shell = Nothing '********************************* 'Task: Obtain *Correct* IP Address strComputer = "." Set objWMIService = GetObject("winmgmts:" & "!\\\\" & strComputer & "\\root\\cimv2") Set colAdapters = objWMIService.ExecQuery("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled = True") For Each objAdapter In colAdapters If InStr(objAdapter.IPAddress(0), PPTPNetwork) > 0 Then VPNIPAddress = objAdapter.IPAddress(0) Next Set colAdapters = Nothing Set objWMIService = Nothing '************************* 'Task: Add Route Statement Set Shell = CreateObject("WScript.Shell") Shell.Run RouteCommand & " " & VPNIPAddress, 6, True Set Shell = Nothing
Download this code: pptp.vbs
It’s a simple script, but it seems to work perfectly. If you use it please feel free to add a comment to let me know!
Originally written on 01/14/2005
9 Responses for "PPTP & Routing Interesting Traffic"
I was experiencing this problem as well.
Would be wonderful if we could pass information like this to the client as part of establishing the VPN connect, you know, configure it server side.
Thanks for the script!
Actually, quite frankly, the commentary is more interesting messages themselves. (Not to insult the author, of course:))
“internet access failed because the PIX won’t/can’t redirect traffic that isn’t on it’s local network”
Not true. The PIX will not allow traffic to enter and leave the same interface regardless of network location (security “feature”). Hence why it won’t route packets on its inside interface (Router on a stick kind of implementation).
The ASA will in fact do this though.
JJ: I was referring to the fact the PIX won’t route. As far as entering and leaving the same interface, isn’t this exactly how VPN works???
See:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml#intro
PIX version 7.0 improves support for spoke-to-spoke VPN communications as it provides the ability for encrypted traffic to enter and leave the same interface.
The same-security-traffic command permits traffic to enter and exit the same interface…
Thanks for the script. I was experiencing the same problem with a PPTP connection and the script just helped me to avoid adding a route every time I connect to the VPN so I don’t loose my Internet connection.
We were using a similar script a while back, but IPsec really is a better protocol. I can see your point though, IPsec on windows is a can of worms, unlike on *nix where it takes 5 mins to setup.
JJ: The funny part is that PIX version 7.0 doesn’t support PPTP. So there’s really no point discussing this, correct?
@echo off
cls
; REM vpn.bat
; REM Mark Hudy
; REM 5/14/2009
; REM
; REM This batch file connects a VPN by it’s “exact name”, username and password
; REM Queries the routing table for a network value (192.168.1) and writes the results to %temp%\routes.txt
; REM Parses %temp%\routes.txt grabbing the value from the 3rd column in the top row only (pptp gateway)
; REM and adds a route for the foreign network (1.2.3.4/24) using the pptp gateway.
; REM The ‘pause’ at the end allows the user/customer to view the results before the window closes
; REM and assumes you have created a shortcut pointing to the batch file.
echo.
echo ——————————-
echo VPN Status:
rasdial
echo ——————————-
:start
echo.
echo [1] Sample VPN Connect
echo [2] Sample VPN Disconnect
echo [3] Do Neither and Cancel
echo.
set /p userinp=choose a number(1-3):
set userinp=%userinp:~0,1%
if “%userinp%”==”1″ goto 1
if “%userinp%”==”2″ goto 2
if “%userinp%”==”3″ goto close
echo invalid choice
goto start
:1
rasdial “Sample VPN Connection” SomeUsername SomePassword >NUL
route print |find “192.168.1″ >%temp%\routes.txt
@for /f “tokens=3″ %%i in (’type %temp%\routes.txt’) do @set pptpGateway=%%i & goto :StopParsing
:StopParsing
route add 1.2.3.4 mask 255.255.255.0 %pptpGateway% >NUL
echo Sample VPN Connection is now connected.
goto :end
:2
rasdial “Sample VPN Connection” /disconnect >NUL
echo Sample VPN Connection is now disconnected.
:end
echo.
pause
:close
Leave a reply