Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Untangler
    Join Date
    Sep 2008
    Posts
    73

    Default Address pools in VPN config

    When configuring the IPSEC application, VPN config section, there are two address pools (L2TP and Xauth/IKEv2).

    These are currently set to (by default) 198.18.0.0/16 and 198.19.0.0/16 respectively.

    And it works fine, but I believe due to the network being different being different from my primary DHCP range, I have to enable "Use default gateway on remote network" in my VPN settings for my Windows 10 client. And doesn't that send all my traffic over my VPN? I know that when I'm helping a staffer with remote-support software, and I start a VPN connection that uses the VPN gateway, that my connection to their PC is interrupted.

    I'd change the pool to addresses on my same network for my wired PC's at my office, but there is a warning:

    "If you wish, you can change the Address Pool, but it must be a unique subnet that is not already defined on the NGFW."

    Normally when I setup IPSEC elsewhere, I have my office DHCP range (let's say 192.168.2.1-100) and then my VPN pool range (.101-110). In those instances, I do not have to click "Use default remote gateway" and still everything works and not all the VPN client's traffic is piped over my network.

    Am I making any sense?

    So I don't know if this just means it can't overlap with the standard DHCP pool, or it can't intersect at all.

    Any ideas?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    The L2TP cannot be the same as the local network of the IPsec pool as the DHCP server will not know about duplicates from the L2TP service. "Use default gateway on remote network" is just if full tunnel is wanted (all traffic sent through the VPN).

    Also set on the local PC:
    - Right click the VPN Connection Adapter and click Properties from the pop-up to view the VPN Connection Properties Window.
    - Switch to Networking Tab, select Internet Protocol Version 4 (TCP/IPv4) and click Properties to view the Properties window.
    - In the Internet Protocol Version 4 (TCP/IPv4) properties window, click Advanced.
    - In the Advanced TCP/IP Settings window under IP Settings tab, uncheck Use default gateway on remote network.

    As you can see L2TP is not designed for full tunnel. This is the reason for Xauth but Windows does not support that native. It requires a third party app. I personally use OpenVPN as it is much simpler for full tunnel needs.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Sep 2008
    Posts
    73

    Default

    Quote Originally Posted by jcoffin View Post
    The L2TP cannot be the same as the local network of the IPsec pool as the DHCP server will not know about duplicates from the L2TP service.
    I'm not sure I understand, so I'll just ask like this: If my local network DHCP server is 192.168.2.1-64, is there any way my VPN clients can get 192.168.2.65-75?

    Quote Originally Posted by jcoffin View Post
    "Use default gateway on remote network" is just if full tunnel is wanted (all traffic sent through the VPN).

    Also set on the local PC:
    - Right click the VPN Connection Adapter and click Properties from the pop-up to view the VPN Connection Properties Window.
    - Switch to Networking Tab, select Internet Protocol Version 4 (TCP/IPv4) and click Properties to view the Properties window.
    - In the Internet Protocol Version 4 (TCP/IPv4) properties window, click Advanced.
    - In the Advanced TCP/IP Settings window under IP Settings tab, uncheck Use default gateway on remote network.

    As you can see L2TP is not designed for full tunnel. This is the reason for Xauth but Windows does not support that native. It requires a third party app. I personally use OpenVPN as it is much simpler for full tunnel needs.
    Right, I don't want full tunnel, but if I don't enable "use default gateway on remote network," then I'm not getting through to the other side. I think if my VPN client was getting an IP "compatible with" the IP of the LAN, it would work okay.

    At least that is the way I've been able to configure other brands of appliances and it seems to work okay.

  4. #4
    Untangler
    Join Date
    Sep 2008
    Posts
    73

    Default

    Well for grins, I tried changing the L2TP pool to 192.168.2.64/28, but Untangle won't allow me to save that.

    On appliances from other vendors, I'm able to serve IP addresses from the same pool that my LAN is using.

    Perhaps the IPSEC application isn't integrated with the core router functions enough? Hmm...

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    What is the issue with just using the defaults?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangler
    Join Date
    Sep 2008
    Posts
    73

    Default

    Quote Originally Posted by jcoffin View Post
    What is the issue with just using the defaults?
    I'd like not to have to use what you called "full tunnel," I don't want to have to check "use default gateway on remote network" on my Windows clients.

    If I use the Untangle defaults, I have to use the default gateway remote because otherwise I cannot get to anything on the LAN side of the Untangle device.

    Having to use that feature makes remote support via apps like Splashtop much more difficult, as once a VPN connection is made by the Win10 client, I get knocked-off and have to reconnect.

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    Ok, so you want split tunnel. Full tunnel is a Windows default, nothing to do with Untangle.

    For split-tunnel, change on Windows:
    - Navigate to Control Panel > Network and Sharing Center > Change Adapter Settings
    - Right click on the VPN connection, then choose Properties
    - Select the Networking tab
    - Select Internet Protocol Version 4 (TCP/IPv4) and click Properties
    - Click Advanced
    - Deselect the box for "Use default gateway on remote network"
    - Click OK to apply the changes to the interface
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangler
    Join Date
    Sep 2008
    Posts
    73

    Default

    Quote Originally Posted by jcoffin View Post
    Ok, so you want split tunnel. Full tunnel is a Windows default, nothing to do with Untangle.

    For split-tunnel, change on Windows:
    - Navigate to Control Panel > Network and Sharing Center > Change Adapter Settings
    - Right click on the VPN connection, then choose Properties
    - Select the Networking tab
    - Select Internet Protocol Version 4 (TCP/IPv4) and click Properties
    - Click Advanced
    - Deselect the box for "Use default gateway on remote network"
    - Click OK to apply the changes to the interface
    What I'm saying is, a split tunnel doesn't work, the VPN client cannot access anything on the LAN side of the Untangle box.

    I'm not sure how it would, the VPN client is getting an IP address of 198.18.0.2 and the LAN side of the Untangle is 192.168.2.0.

    It would seem to me that a split tunnel would only work if the VPN client is assigned an IP address on the same network as the LAN side of the Untangle.

    Which seems impossible w/ Untangle.

    Am I nuts on this? You have me questioning everything I thought I knew about networking.

    When you disable the "Use default gateway on remote network," there is another box underneath that says "disable class-based route addition," (normally unchecked) which seems to be the mechanism for split tunnels to work and still ferry traffic (provided the VPN client is getting an IP on the LAN side network.
    Last edited by cgallery; 07-21-2018 at 08:26 PM.

  9. #9
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    Yes, you have to add the remote network to the Windows box.

    - Open command prompt on windows as admin
    - netsh interface ipv4 add route <destination subnet> "<interface name>"

    Again, this routing is due to Windows default. Split tunnel requires Windows settings to be modified.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Untangler
    Join Date
    Sep 2008
    Posts
    73

    Default

    Quote Originally Posted by jcoffin View Post
    Yes, you have to add the remote network to the Windows box.

    - Open command prompt on windows as admin
    - netsh interface ipv4 add route <destination subnet> "<interface name>"

    Again, this routing is due to Windows default. Split tunnel requires Windows settings to be modified.
    I guess I was hoping to find that I could have the VPN clients get an IP address which wouldn't require adding persistent routes. This is something easily done on a $40 Mikrotik device, so I'm a little disappointed I cannot do it with the Untangle unit.

    I'll get over it, thanks for the help.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2