Screen OS

I've setup a l2tp VPN on a netscreen 50. The netscreen 50 is connected to the internet via a PPPOE connection. When a client connects on the netscreen (via a pptp connection) the client can access to the ressources of the vpn but he can't ping anything on the internet anymore and thus he can't surf.

I think this is a problem with routes but I don't know how to solve it.

Could anybody help me ?

Thanks

Hi;

Yes, you're right, it's a routing issue, but you don't have to do anything on your firewall unless you want that the PPTP clients also surf through the firewall in addition to using VPN resources (it's not recommanded).

in the client side, just after the pptp connection establishment, if you're running a Windows PPTP client, you get two different default routes :

the first is the one toward the internet gateway, the second one is to the ppp interface with your firewall 

so to allow the clients to use the VPN resources and continue their surf, you have to delete the new default route created by the PPTP connection, and add a route with the VPN prefix to the ppp interface.

For exemple

in the client side, you're connected to the internet using :

cmd>  ipconfig 

Ethernet adapter Local Area Connection: 

   IP Address. . . . . . . . . . . : 82.101.152.9
   Subnet Mask . . . . . . . . . . . : 255.255.255.192
   Default Gateway . . . . . . . . . : 82.101.152.1

cmd>  route print

Network     Destination        Netmask          Gateway       Interface             Metric
                   0.0.0.0              0.0.0.0      82.101.152.1     82.101.152.9     25

After the PPTP connection establishment you'll have :

cmd>  ipconfig  

Ethernet adapter Local Area Connection: 

   IP Address. . . . . . . . . . . : 82.101.152.9
   Subnet Mask . . . . . . . . . . . : 255.255.255.192
   Default Gateway . . . . . . . . . : 82.101.152.1

PPP adapter:

   IP Address. . . . . . . . . . . : 10.23.74.94
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 10.23.74.94

 cmd>  route print

Network     Destination        Netmask          Gateway       Interface             Metric
                   0.0.0.0              0.0.0.0      10.23.74.94      10.23.74.94         1

                   0.0.0.0              0.0.0.0      82.101.152.1     82.101.152.9     25

you have to delete the default route newly created  

cmd>route del 0.0.0.0 mask 0.0.0.0 10.23.74.94

and add a more specific route, let's say that the VPN resources subnet behind your firewall is 172.18.53.0/24

cmd>route add 172.18.53.0 mask 255.255.255.0 10.23.74.94

So when the client wants to reach your VPN resouces, he/she will use the specific route, and continue using the default route to surf.

You can avoid the creation of the default route in Windows by following the procedure below:

right-click the PPTP connection, click "properties"

under the "Networking" tab, choose "Internet Protocol (TCP/IP)" and click "properties"

under the tab "General" click "Advanced..."

under the tab "IP Settings" uncheck the check-box "Use default gateway on remote network"

ok,ok, ok ... until closing all the tool-boxes.

But you will always have to enter the specific route of the VPN subnet to the PPP interface.

Thank you for your so complete explanation !

All is OK now. The only problem is for the client to add the route. I'll have to explain him how to do. I suppose there is no way to make this task automatic...

Hi;

You can make this procdure semi-automatic, by providing a batch file to be executed after the PPP connection establishment, that .bat file contains the following tasks :

- Get the IP@ of the PPP interface.

- Delete the created default route.

- Create the exact route : <VPN subnet> --> PPP IP@.

It would be very easy to do so using a Unix shell script, but I'm sure that it's feasible also in windows, please refer to this guide, it would be very useful : http://www.allenware.com/icsw/icswidx.htm

 Anyway, you can use any other programming tool that you master.