Configuring Routing on a VPN Client

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By default, when a Windows-based VPN client makes a VPN connection, the VPN client automatically adds a new default route for the VPN connection and sets a higher metric for the existing default route. Because a new default route has been added, all Internet locations, except for the IP address of the tunnel server and locations based on other routes, are not reachable for the duration of the VPN connection.

Whether the default route is acceptable for the VPN connection depends on your remote access clients’ needs (whether they need simultaneous access to both the intranet and the Internet) and security issues. For a full discussion of the routing options for VPN remote access clients, see "Determining Routing for VPN Remote Access Clients" earlier in this chapter.

Based on your design, implement one of the following routing options on the VPN client:

  • If the remote access user does not require concurrent access to intranet and Internet resources, use the default gateway for the VPN connection.

  • If the remote access user requires concurrent access to intranet and Internet resources over a VPN connection, choose one of the following options:

    • If you want to allow Internet access through the organization’s intranet, use the default gateway for your VPN connection.

      Internet traffic between the VPN client and Internet hosts passes though firewalls or proxy servers as though the VPN client were physically connected to the organization’s intranet. This method can affect performance, but it enables an organization to filter and monitor Internet access according to its network policies while the VPN client is connected to the organization network.

    • If the addressing within your intranet is based on a single class-based network ID, and the addresses assigned to VPN clients are from that single class-based network ID, prevent the use of the default gateway for your VPN connection.

    • If the addressing within your intranet is not based on a single class-based network ID, prevent the use of the default gateway for your VPN connection. Then, use one of the split tunneling methods described in "Determining Routing for VPN Remote Access Clients" earlier in this chapter.

To prevent the VPN client from creating a new default route during a VPN connection

  1. In Control Panel, double-click Network Connections, and then double-click the name of the VPN connection.

  2. In the Connect dialog box, click Properties.

  3. In the properties dialog box for the VPN connection, click the Networking tab.

  4. SelectInternet Protocol (TCP/IP), and then click Properties.

  5. On the General tab, click Advanced to display the Advanced TCP/IP Settings dialog box.

  6. To prevent a default route from being created during a VPN connection, on the General tab, clear the Use default gateway on remote network check box.

    No default route will be created for the connection. However, a route corresponding to the Internet address class of the assigned IP address will be created. For example, if the IP address assigned during the connection process is 10.0.12.119, the Windows Server 2003–based or Windows XP–based VPN client creates a route for the class-based network ID 10.0.0.0 with the subnet mask 255.0.0.0.