[vpn-help] Huawei E160 using VPN - after connection loss - Traffic stops completely - related to DNS proxy daemon (still exists with v2.1.6)

Matthew Grooms mgrooms at shrew.net
Thu Jul 8 12:43:55 CDT 2010


On 7/8/2010 11:59 AM, Andreas Allacher wrote:
>
>>> Something different: I am not able to get the normal internet working
>>> after I connect through VPN. Isn't it possible to set the client up to
>>> use the normal internet connection for everything - except a certain IP
>>> range?
>>
>> Yes. But you have to configure the gateway and the client to use a
>> split tunnel. Please have a look at the policy tab on the client.
>>
> So instead of auto I would have to use Shared?

You could try using shared, but you still need to specify which networks 
should be tunneled. See the comments below ...

>>
>>> Furthermore, I noticed that the VPN client sets the default gateway for
>>> the virtual interface to the same IP as the interface's IP. Can I change
>>> the gateway somewhere because I think it might be related to this.
>>>
>>
>> This is directly related to your policy configuration. If you don't
>> specify specific networks to tunnel in the policy tab, the client will
>> attempt to send ALL traffic via the tunnel.
> So I can't setup - for instance - the router of the network I am
> tunneling to, to use as gateway?
>

No. You must uncheck the "Obtain Topology Automatically or Tunnel All" 
option and add specific remote networks. Some gateways provide a list of 
networks for split tunnels automatically during modecfg negotiation. If 
you don't connect to such a gateway but still require split tunnel, you 
must manually enter a list of networks that the remote gateway will 
allow you access to according its policy configuration. With a split 
tunnel configuration, clients only tunnel traffic to specified networks 
( specific routes are created instead of a default route ). All other 
traffic is handled via your local internet connection.

As for the policy level ( repeating whats already in the 2.1.6 beta 9 
release notes ), if you have auto selected, the client will default to 
shared when you connect to a Cisco compatible gateway. It will default 
to unique for all other gateways. Shared creates multiple policies for 
specific remote networks but negotiates a single SA with the gateway 
using 0.0.0.0/0 ( everything ). Unique creates multiple policies for 
specific remote networks and negotiates multiple SAs with the gateway 
using the policy remote network IDs. Which one you use depends on how 
your gateway is configured.

-Matthew



More information about the vpn-help mailing list