PDA

View Full Version : Slimserver and VPN



2004-08-04, 21:24
Geoff wrote:


>
> This is why I like the Cisco client that my employer uses ... it has
> an "exclude local LAN" option that allows any requests to your LAN to
> go over your LAN network instead of being routed to the VPN.
>


That's completely up to corporate policy. The operators of cisco vpn
servers can disable that local option.

The VPN client adjusts the routing table when it starts and this can be
why certain addresses become unreachable.
In these cases I presume you could "fix" it by adjusting the routing
table after the client starts, but I don't know if the clients keeps
checking and enforcing policies.
And if you don't understand what you are doing then it is more likely
you will lose all connectivity.

Cameron.

Steve Baumgarten
2004-08-05, 06:31
> The VPN client adjusts the routing table when it starts and this can be
> why certain addresses become unreachable.
>
> In these cases I presume you could "fix" it by adjusting the routing
> table after the client starts, but I don't know if the clients keeps
> checking and enforcing policies.

Some newer VPN clients do exactly this. The VPN client will check the
routing table when it starts up and then every so often while running. If
it sees any changes (non-VPN related, of course), the client will shut
down. Nortel even has a product called "Tunnel Guard" that allows an
administrator to provide a check list of software that needs to be running
on your PC (e.g., a firewall, antivirus software, etc.); some required
software is missing or disabled, the VPN client shuts down.

Working around VPN restrictions has become decidedly non-trivial, to say
the least.

SBB

James Craig
2004-08-05, 06:44
Just as a follow up here, it was confirmed that our VPN software creates
its own firewall so that the local network is deliberately unavailable.

"It's a standard security feature with IPSec tunnelling to prevent pass-through attacks."


On the bright side there are plans to move to a thin client setup that
probably won't be as restrictive in the future.
Probably causing a lot of problems now that so many people have multiple
machines, wireless networks etc at home...

thanks everyone

James

Steve Baumgarten wrote:

>>The VPN client adjusts the routing table when it starts and this can be
>>why certain addresses become unreachable.
>>
>>In these cases I presume you could "fix" it by adjusting the routing
>>table after the client starts, but I don't know if the clients keeps
>>checking and enforcing policies.
>>
>>
>
>Some newer VPN clients do exactly this. The VPN client will check the
>routing table when it starts up and then every so often while running. If
>it sees any changes (non-VPN related, of course), the client will shut
>down. Nortel even has a product called "Tunnel Guard" that allows an
>administrator to provide a check list of software that needs to be running
>on your PC (e.g., a firewall, antivirus software, etc.); some required
>software is missing or disabled, the VPN client shuts down.
>
>Working around VPN restrictions has become decidedly non-trivial, to say
>the least.
>
>SBB
>
>
>
>