Windows 7 – Fix Persistent Routes and VPN Connection Issues

ipnetworkingroutingvpnwindows

My home PC has a VPN connection to my office. The office network is firewalled, with a secure zone on 192.168.0.* and a DMZ on 10.0.0.*

From outside, www.mycompany.com routes to a public IP – say 1.2.3.4. Our firewall NATs that to 10.0.0.4. From within the office LAN, we use DNS records on our domain controllers to resolve www.mycompany.com straight to 10.0.0.4, because we can't route to the public interface of our own firewall.

When I connect the VPN from home, I get a 192.168.0.* IP assigned via DHCP, but because I'm not using the VPN as my default gateway, I can't route to 10.0.0.* addresses unless I manually add a route.

I've created a persistent route to pass traffic for the 10.0.0.* subnet via the default gateway on the secure firewall zone:

route add -p 10.0.0.0 mask 255.255.255.0 192.168.0.1

Here's the problem. When I reboot, the route still appears in the routing table – fine. If I then connect the VPN, the route appears, but doesn't work – I can't route to anything on the 10.0.0.0 subnet. BUT, if I remove and then re-add the route AFTER the VPN is connected, it works fine.

I have no idea why this is the case. The before/after configuration is IDENTICAL – same IP, same route table – but if I create route then connect, it fails; if I connect the VPN and then create the route, it succeeds.

Looking for any tips as to how I can either stabilize the configuration, or automatically create the route when the VPN connects?

Best Answer

Honestly, there's a few bits as to why this wouldn't work properly. But lets skip that for now.

Rather than adding an arbitrary route to an IP address, try adding the route with the "interface" specified.

i.e. when connected to the VPN if you do a:

route print

and look for the "Interface" in the list, it should have a number assigned to the VPN interface.

 19...00 0e 2e 65 ca 61 ......Realtek RTL8139/810x Family Fast Ethernet NIC
 12...00 26 55 44 95 3c ......Broadcom NetXtreme Gigabit Ethernet
 28...00 00 00 00 00 00 ......MyVPN Interface Thingie
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 11...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter

in my example... #28 is my vpn. So, when you add the route... do this:

route add -p 10.0.0.0 mask 255.255.255.0 192.168.0.1 if 28

What this should do for you is add the route... only when that interface is up. It will still sit in the "persistent routes" ... but won't actually be added to the routing table until that interface is up... and it gets removed again when the interface goes down.

Related Solutions

Windows – trick out cisco vpn with routes

I've had the same problem for a few months. I had to disconnect and had Internet access. Connect so I can have access to corporate resources.... A pain.

My temporary solution was to install a Sonatype Nexus (proxy for dependencies) under Debian Linux and connect with vpnc. Usually you can install it with apt-get/yum etc.

When this solution was not enough, I installed vpnc in my Windows machine with vpnc-fe http: // sourceforge.net/projects/vpncfe/ (VPNc Front-End) on top.

My configuration required a setting for perfect security called "Force-NTT". See this thread. Later you need to put the following script in postconnect.bat:

[Copy in case the thread goes down]

Thank you, rodekerken! Here's the final result, no manual tinkering necessary to break out the split routes:

@echo off
REM By: capt-tagon
REM 
REM Post-Script.bat to take VPNC's Route Table into Windows 7 land. Erases bad route table entries, 
REM extracts gateway, assigned IP, Netmask, and Cisco split route entries and resubmits them to 
REM Windows 7 so the routing all works. Condensed from other entries on the VPNC-FE forae and combined
REM with information gleaned from VPNC client for Linux to find all the passed parameters useful
REM to making this work. Additional by rodekerken noted below, thank you for helping finish it out.
REM
setlocal enabledelayedexpansion
echo.
echo Post-Script Begin
echo.
REM Gather Connection Data
REM 
REM Parameters passed have space at end, see "HELP SET" at Console Prompt for explanation of
REM substring extraction
REM Strip space from TUNDEV, INTERNAL_IP4_ADDRESS, VPNGATEWAY, CISCO_SPLIT_INC
REM This will be broken if VPNC-FE is fixed to not export parameters with the trailing space.
REM 
set MyTUNDev=%TUNDEV:~0,-1%
REM By: rodekerken
REM From the top of the router table printout, look for a line like
REM 14...00 ff 5d b0 44 aa ......TAP-Win32 Adapter V9 to find the if number.
REM A way to find out the interface number automatically and extractis this:
for /f "tokens=1 delims=." %%a in ('route print ^|find "TAP-Win32"') do set MyIF=%%a
set MyIP=%INTERNAL_IP4_ADDRESS:~0,-1%
set MyMask=%INTERNAL_IP4_NETMASK:~0,-1%
set MyVPN=%VPNGATEWAY:~0,-1%
REM Number of Routing Table Entries for Split Tunnel
set MyCiscoSplit=%CISCO_SPLIT_INC:~0,-1%
REM Date Time functions
set ANSIDate=%date:~10%%date:~4,2%%date:~7,2%
set StartTime=%time:~0,2%%time:~3,2%%time:~6,2%
REM Display Connection Data
echo Tunnel Device : [%MyTUNDev%]
echo Tunnel IntFace: [%MyIF%]
echo Tunnel IPAddr : [%MyIP%]
echo Tunnel NetMask: [%MyMask%]
echo Tunnel VPN-GW : [%MyVPN%]
echo .
echo Date Connected: [%ANSIDate%]
echo Time Connected: [%StartTime%]
echo .
REM Cisco Routes are 0 index, 6 Routes = 0-5
echo Cisco Split Routes: [%MyCiscoSplit%]
REM Display Bad Route Table
echo.
echo Bad Route Table
route print | find "%MyIP%"
echo.
REM Delete Bad Split Route entries and add back with proper Gateway.
REM Extract Cisco routing table information to feed to "ROUTE ADD"
REM Number of entries passed in Array Index CISCO_SPLIT_INC 
REM For x below, value is 0 to CISCO_SPLIT_INC - 1
REM Address is passed in CISCO_SPLIT_INC_x_ADDR
REM NetMask is passed in CISCO_SPLIT_INC_x_MASK
REM
REM By: rodekerken
REM A way to loop and enumerate and evaluate the routes is like this:
set /A MyCiscoSplit-=1
for /L %%i in (0,1,%MyCiscoSplit%) do (
                set SplitAddr=CISCO_SPLIT_INC_%%i_ADDR
                set SplitMask=CISCO_SPLIT_INC_%%i_MASK
        for /f %%a in ('echo !SplitAddr!') do set SplitAddrEval=!%%a!
        for /f %%a in ('echo !SplitMask!') do set SplitMaskEval=!%%a!
        echo Route%%i !SplitAddrEval! !SplitMaskEval!
        route delete !SplitAddrEval! >nul
        route add !SplitAddrEval! mask !SplitMaskEval! %MyVPN% metric 1 if %MyIF% >nul
)
REM Display Corrected Route Table
echo.
echo Corrected Route Table
route print | find "%MyVPN%"
echo.
echo Post-Script End
echo.

I've also added this routes after the "FOR":

route add 1111.120.120.0 mask 255.255.255.0 0.0.0.0 metric 1 if %MyIF%
route add 1111.185.19.0 mask 255.255.255.0 0.0.0.0 metric 1 if %MyIF%
route add 10.0.0.0 mask 255.0.0.0 0.0.0.0 metric 1 if %MyIF%

[Please note that the first two routes have incorrect/fake addresses. You need to change it anyway]

For my script to work repeatedly, you need to create a "disconnect.bat" containing the removal of routes:

route delete 1111.120.120.0
route delete 1111.185.19.0
route delete 10.0.0.0

Just my 0.02€

Best Answer

Related Solutions

Windows – trick out cisco vpn with routes

Related Question