How to configure split tunnelling on VPN clients using CMAK
When a VPN connection is established, by default, ‘Use default gateway on remote network’ checkbox is selected. When this checkbox is selected a new default route for the VPN Connection is added and the existing default route gets a higher metric. Result of this setting is that all the intranet traffic works fine and internet traffic is also routed to VPN Server. If VPN server doesn’t allow VPN Clients to access the Internet via their gateway the user will not be able to access Internet after making the VPN connection. If ‘Use default gateway on remote network’ checkbox is unchecked, a class based route (corresponding to class-based network Id of the assigned IP Address) is added to the routing table. Result of this setting is that all the internet traffic works fine (goes over internet interface) while only limited m/c on the intranet is accessible (corresponding to those which matches the network ID of the Internet address class of the assigned IP address).
One way to solve this problem is to have split tunnelling on the client machine so that concurrent access to both internet and intranet works fine.
Connection Manager Administration Kit (CMAK) provides the Split Tunnelling solution with Route Table Update using built-in custom action (cmroute.dll). For more details, usage and configuration of CMAK, you can visit https://technet2.microsoft.com/windowsserver/en/library/be5c1c37-109e-49bc-943e-6595832d57611033.mspx?mfr=true
CMAK can be used to configure specific routes as part of the Connection Manager (CM) profile which is distributed to VPN clients. CMAK can be used to configure:
v A text file which contains the routes update information which will be applied when the CM client connects. This is a static route file containing the route information relevant to the organizations address space. This file is included with the service profile package.
· When the user installs the profile, the file is installed in the same directory as the profile.
· The routes in the file on the client computer are not secure.
· You must create and distribute another profile if you want to update the file.
v Specify the URL for the location of the route text file which can be downloaded once the CM connection is up. This helps the administrator to update the route text file as per the requirement. This file needs to be hosted on a web server.
· The file is downloaded every time the user completes the connection.
· The user cannot easily review the file you distribute in this way.
· You can update this file at any time as per your requirement.
· Administrator needs to decide to terminate the connection if the server hosting the route file is unreachable.
v Include a static file with the service profile and include a URL to an additional file.
If the user has not logged on with administrative credentials for the client computer, routing table updates will not be applied. The user will still be able to connect using your service profile, but the routes on the client computer will not be updated.
Syntax of routing table update files
Routing table update files are plain-text files that can be created and edited in any plain-text editor, such as Notepad. Each line in those files adds or deletes a route. The syntax of each line is as follows:
Command Destination MASK Netmask Gateway METRIC Metric IF Interface
Command is ADD (adds a route) or DELETE (deletes a route) or REMOVE_GATEWAY (removes the default gateway)
Destination specifies the destination IP Address on the target network
MASK specifies that the next parameter is the netmask value.
Netmask is the subnet mask, which corresponds to the Destination that defines the destination IP Address.
Gateway specifies the gateway. Recommended value is ‘default’.
METRIC specifies that the next parameter is the route metric.
Metric specifies the cost for the destination. Recommended value is ‘ default’ .
IF specifies that the next parameter is the interface number.
Interface is the interface number. Recommended value is ‘default’.
The use of default in most commands in the route text file is the recommended value for the gateway, metric, and interface parameters. When default is used, the appropriate value from the VPN client computer is used at the time of route creation.
Examples:
To add routes for the private network address space, the route text file would contain the following:
ADD 10.0.0.0 MASK 255.0.0.0 default METRIC default IF default
ADD 172.16.0.0 MASK 255.240.0.0 default METRIC default IF default
To delete route, the route text file would contain:
DELETE 192.168.123.232 MASK 255.255.255.0 default METRIC default IF default
To remove the default gateway, you can add the following line to the update file:
REMOVE_GATEWAY
Unlike adding or removing a route, no further syntax is required after the REMOVE_GATEWAY command.
If ‘default’ interface value is used, the routing changes are reversed when the user disconnects.
If both static and URL route files is included, static file routes are applied first and then the downloaded routes are applied. The downloaded file is then deleted immediately. Because of this order of precedence, a dynamic file could add routes, replace routes specified in the static file included with the service profile, or both. The REMOVE_GATEWAY command in either update file is executed after all other routes have been applied.
Dinesh Agarwal
SDE
RRAS, Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]
Comments
Anonymous
June 15, 2007
Does split tunneling work with Vista? It does delete default gateway, and it sets routes, but when trying to ping any host outside local and vpn-local network, the ping returns error. Both default-gateway and remote networks are unusable with this configuration.Anonymous
June 26, 2007
Hi, nice article. Is there a solution yet to allow split tunneling with Vista?Anonymous
July 05, 2007
From what I am understanding, the Vista security is not allowing CMROUTE.DLL to change the routing tables. I see lots of comments on running this with "elevated privledges" but I have not seen specifics on how to do this.