locked
UAG SSTP Split tunnel - missing route RRS feed

  • General discussion

  • I have the following setup:

    The UAG split tunnel is configured using the method described in Ben-Ari's book and customizing UAG on page 412. My problem is that when the split tunnel is established I cannot connect to my LAN resources unless I manually add a route on the client.

    My routes without VPN connection is:

    IPv4 Route Table

    ===========================================================================

    Active Routes:

    Network Destination        Netmask          Gateway       Interface  Metric

              0.0.0.0          0.0.0.0      10.224.32.1    10.224.32.183     25

          10.224.32.0    255.255.255.0         On-link     10.224.32.183    281

        10.224.32.183  255.255.255.255         On-link     10.224.32.183    281

        10.224.32.255  255.255.255.255         On-link     10.224.32.183    281

            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

        192.168.136.0    255.255.255.0         On-link     192.168.136.1    276

        192.168.136.1  255.255.255.255         On-link     192.168.136.1    276

      192.168.136.255  255.255.255.255         On-link     192.168.136.1    276

        192.168.219.0    255.255.255.0         On-link     192.168.219.1    276

        192.168.219.1  255.255.255.255         On-link     192.168.219.1    276

      192.168.219.255  255.255.255.255         On-link     192.168.219.1    276

            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

            224.0.0.0        240.0.0.0         On-link     192.168.219.1    276

            224.0.0.0        240.0.0.0         On-link     10.224.32.183    281

            224.0.0.0        240.0.0.0         On-link     192.168.136.1    276

      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      255.255.255.255  255.255.255.255         On-link     192.168.219.1    276

      255.255.255.255  255.255.255.255         On-link     10.224.32.183    281

      255.255.255.255  255.255.255.255         On-link     192.168.136.1    276

    ===========================================================================

    With VPN established it is:

    IPv4 Route Table

    ===========================================================================

    Active Routes:

    Network Destination        Netmask          Gateway       Interface  Metric

              0.0.0.0          0.0.0.0      10.224.32.1    10.224.32.183     25

          10.224.32.0    255.255.255.0         On-link     10.224.32.183    281

        10.224.32.183  255.255.255.255         On-link     10.224.32.183    281

        10.224.32.255  255.255.255.255         On-link     10.224.32.183    281

         71.75.253.49  255.255.255.255      10.224.32.1    10.224.32.183     26

            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

        192.168.136.0    255.255.255.0         On-link     192.168.136.1    276

        192.168.136.1  255.255.255.255         On-link     192.168.136.1    276

      192.168.136.255  255.255.255.255         On-link     192.168.136.1    276

        192.168.200.0    255.255.255.0  192.168.200.100  192.168.200.101     26

      192.168.200.101  255.255.255.255         On-link   192.168.200.101    281

        192.168.219.0    255.255.255.0         On-link     192.168.219.1    276

        192.168.219.1  255.255.255.255         On-link     192.168.219.1    276

      192.168.219.255  255.255.255.255         On-link     192.168.219.1    276

            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

            224.0.0.0        240.0.0.0         On-link     192.168.219.1    276

            224.0.0.0        240.0.0.0         On-link     10.224.32.183    281

            224.0.0.0        240.0.0.0         On-link     192.168.136.1    276

            224.0.0.0        240.0.0.0         On-link   192.168.200.101    281

      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      255.255.255.255  255.255.255.255         On-link     192.168.219.1    276

      255.255.255.255  255.255.255.255         On-link     10.224.32.183    281

      255.255.255.255  255.255.255.255         On-link     192.168.136.1    276

      255.255.255.255  255.255.255.255         On-link   192.168.200.101    281

    ===========================================================================

    For me to be able to access LAN resources I need to run:

    ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.100.100 with a connection to UAG1

    -or

    ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.200.100 with a connection to UAG2

    How do I set this up to work without me having to add the route manually?

    Also, my TMG array has been set to 'NAT' for VPN clients instead of 'Route' which is the default.
    Monday, July 30, 2012 5:41 PM

All replies

  • Hi,

    I believe you have enabled split tunneling by unchecking "Use default Gateway on Remote Network" in Advanced TCP/IP properties in SSL adapter in client machine.

    Since it is not feasible and supported from UAG side SSTP congiguration, you have to rely on some workaround like what you have done here. Moreover, doing NAT in networking rule in TMG does not going to help as your packets for detination internal lan 192.168.1.0 are not coming to SSTP server (here UAG) till you configure manual routes pointing to SSTP gateway address(200.100 & 200.200)

    Ashu

    Wednesday, August 1, 2012 10:32 AM
  • Hi Amig@. As Ashu says, that is an issue related to not having UAG as the default gateway. From your routing table I can see that your internal network is 192.168.1.0/24 however the pool for assigning addresses to VPN clients is 192.168.200.0/24 so a route is needed to send packets from 192.168.200.0 (the VPN clien's subnet) to 192.168.1.0 (the internal subnet). In a non-split tunneling UAG will route all packets but in your case you need to manually specify that route. This is just an IP routing issue. I remember with CMAK you could insert some static routes as part of the dial-up connecton, but it required administrative privileges when launching the connection. Not sure if through Ben's customization a section containing static routes can also be added to the phonebook entry.

    Regards

     

    // Raúl - I love this game

    Wednesday, August 1, 2012 11:06 AM
  • @RMoros, you are correct that it is a routing issue. My question is if there is another way, other than using CMAK, to add that route to the client? I am imagining somthing like a route on the TMG or similar.

    For now I have the problem solved by adding a static route to the client but as this grows with more people using it, that is not a viable solution.

    Wednesday, August 1, 2012 2:34 PM
  • I am afraid there is no other way to do it other than adding the route manually. You could deploy a customized application similar to the one that changes the properties of the VPN and run the route add command but I think the user should be an administrator for that command to execute

    // Raúl - I love this game

    Wednesday, August 1, 2012 3:03 PM