Rerouting local LAN and Internet traffic when in VPN

16

11

I'm connecting to a VPN which doesn't allow split tunneling and basically reroutes my Internet traffic through, which is slow. Additionally and more importantly, this also effectively removes my machine from local LAN.

I'm looking for a way to modify routing table on Windows 7 to route Internet traffic and local LAN connections as usual, and restrict VPN traffic to 10.0.53.0 network, but although I know how to route delete and route add, I'm failing to understand what exactly I need to reroute.

My network looks like this:

  • 192.168.192.0 - my local LAN
  • 192.168.192.1 - my router
  • 192.168.192.2 - my computer
  • 10.0.53.0 - VPN network
  • 10.0.53.1 - VPN gateway

This are my routes when VPN is not connected (ipconfig + route print):

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : lan
   Link-local IPv6 Address . . . . . : fe80::3449:3fc8:6133:b564%11
   IPv4 Address. . . . . . . . . . . : 192.168.192.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.192.1

Tunnel adapter isatap.lan:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : lan

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:8fa:15c1:a65b:dce4
   Link-local IPv6 Address . . . . . : fe80::8fa:15c1:a65b:dce4%14
   Default Gateway . . . . . . . . . : ::

===========================================================================
Interface List
 11...00 16 e6 dc 32 b6 ......Marvell Yukon 88E8052 PCI-E ASF Gigabit Ether
ontroller
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.192.1    192.168.192.2     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.192.0    255.255.255.0         On-link     192.168.192.2    276
    192.168.192.2  255.255.255.255         On-link     192.168.192.2    276
  192.168.192.255  255.255.255.255         On-link     192.168.192.2    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.192.2    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.192.2    276
===========================================================================
Persistent Routes:
  None

And this are my routes when VPN is connected (ipconfig + route print):

Ethernet adapter Local Area Connection 5:

   Connection-specific DNS Suffix  . : emporion.hr
   Link-local IPv6 Address . . . . . : fe80::e127:bf06:eff3:f18e%26
   IPv4 Address. . . . . . . . . . . : 10.0.53.21
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.53.1

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : lan
   Link-local IPv6 Address . . . . . : fe80::3449:3fc8:6133:b564%11
   IPv4 Address. . . . . . . . . . . : 192.168.192.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.192.1

Tunnel adapter isatap.lan:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : lan

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:8fa:15c1:a65b:dce4
   Link-local IPv6 Address . . . . . : fe80::8fa:15c1:a65b:dce4%14
   Default Gateway . . . . . . . . . : ::

===========================================================================
Interface List
 26...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
 11...00 16 e6 dc 32 b6 ......Marvell Yukon 88E8052 PCI-E ASF Gigabit Ether
ontroller
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.192.1    192.168.192.2     20
          0.0.0.0          0.0.0.0        10.0.53.1       10.0.53.22     21
        10.0.53.0    255.255.255.0         On-link        10.0.53.22    276
       10.0.53.22  255.255.255.255         On-link        10.0.53.22    276
      10.0.53.255  255.255.255.255         On-link        10.0.53.22    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.192.0    255.255.255.0         On-link     192.168.192.2    276
    192.168.192.0    255.255.255.0        10.0.53.1       10.0.53.22    276
    192.168.192.1  255.255.255.255         On-link     192.168.192.2    100
    192.168.192.2  255.255.255.255         On-link     192.168.192.2    276
    192.168.192.2  255.255.255.255        10.0.53.1       10.0.53.22    276
  192.168.192.255  255.255.255.255         On-link     192.168.192.2    276
   213.147.99.115  255.255.255.255    192.168.192.1    192.168.192.2    100
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.192.2    276
        224.0.0.0        240.0.0.0         On-link        10.0.53.22    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.192.2    276
  255.255.255.255  255.255.255.255         On-link        10.0.53.22    276
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0        10.0.53.1       1
===========================================================================

Domchi

Posted 2011-02-19T16:25:26.903

Reputation: 2 557

Answers

6

you problem is related to the version of the vpn client you use. If it es a cisco client, cisco has already fixed it with version 5.0.07.0410-k9 for 32Bit and 5.0.07.0440-k9 for 64Bit.

Other case you have to do folowing:

  1. delete all staticaly added route (network or defaulte route)

    route DELETE 0.0.0.0

  2. change the metric of you local default route to the BEST "1"

    route ADD -p 0.0.0.0 MASK 0.0.0.0 192.168.192.1 METRIC 1

  3. Assure that your vpn server - i think this IP 213.147.99.115 - should be reachable over your local gateway

    route ADD -p 213.147.99.115 MASK 255.255.255.255 192.168.192.1 METRIC 1

  4. Assure the reachability of you local net because of this route in your output of "route print"

    192.168.192.0 255.255.255.0 On-link 192.168.192.2 276

    192.168.192.0 255.255.255.0 10.0.53.1 10.0.53.22 276

with

route CHANGE 192.168.192.0 MASK 255.255.255.0 192.168.192.1 METRIC 1

  1. When vpn is connected, change the gateway for the remote net to the IP address assigned to your cisco vpn client - in your ipconfig it's 10.0.53.22 - and metric to 10 (because < 276) to make sure that this route is valid.

    route CHANGE 10.0.53.0 MASK 255.255.255.0 10.0.53.22 METRIC 10

if it failed delete the route first and add it again with "route ADD"

matrix154

Posted 2011-02-19T16:25:26.903

Reputation: 76

1

Where to get cisco vpn client version 5.0? The official site has only v4.x - https://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/tsd-products-support-series-home.html

– Edward – 2018-04-13T16:51:10.790

3

I just did this. By not allowing the vpn to take the the default gateway, i get all traffic to the remote network over vpn, and the rest the usual route through my router.

On the vpn "nic", Network->ipv4->properties->advanced->ip-settings Remove check in "Use default gateway in remote network"

(Or something like that, I my windows 8 is danish)

Lenne

Posted 2011-02-19T16:25:26.903

Reputation: 1 163

The only thing to mention is that your DNS requests will be forwarded to your VPN's network's DNS server, not your local router's, which will make your DNS requests for local LAN machine names to be resolved at the VPN's DNS server, which will most probably fail. – Mladen B. – 2016-06-09T12:38:40.090

Not seeing this option in Windows 10 – Douglas Gaskell – 2018-07-09T22:01:27.927

2

You can enable split tunneling using Powershell too. For example, in Windows 10 the "Use default gateway in remote" option is not accesible.

Set-VpnConnection -Name vpn-connection-name -SplitTunneling $true

Alexei Humeniy

Posted 2011-02-19T16:25:26.903

Reputation: 21

1

Check your Cisco VPN documentation for keywords like "default route" or "persistent route" in the hopes of finding an option to turn of the setting of the default route or gateway for VPN clients.

Randolf Richardson

Posted 2011-02-19T16:25:26.903

Reputation: 14 002

I know exactly where the option is, but unfortunately it's on the VPN server which I don't control. – Domchi – 2011-02-19T21:21:05.767

1

  1. Delete all routes that point to 10.0.53.1 as gateway.
  2. Add a route to 10.0.53.0 mask 255.255.255.0 via the same gateway.

user1686

Posted 2011-02-19T16:25:26.903

Reputation: 283 655

I just tried and can't make it work. When I remove the persistent route (route delete 0.0.0.0 mask 0.0.0.0 10.0.53.1), I lose access to VPN network and still can't connect to local LAN. When I afterwards enter "route add 10.0.53.0 mask 255.255.255.0 10.0.53.1" I get the message: "The route addition failed: Element not found." Only when I disconnect from VPN can I again access local LAN. – Domchi – 2011-02-19T21:23:06.700

1I talked with VPN guy at our company. It seems that Cisco VPN messes with networking on a lower level, so it's not possible to modify routes in this way. While it didn't solve my problem, your answer helped me so I'm accepting it. – Domchi – 2011-02-22T21:33:20.887

Asked: 2011-02-19T16:25:26.903

Viewed: 80 172 times

Active: 2015-08-26T12:51:17.737