[vpn-help] local lan access

Romain De Rasse r.derasse at yahoo.fr
Sat Jan 15 05:10:43 CST 2011

Le 14.01.2011 03:27, kevin vpn a écrit :
> On Thu, 13 Jan 2011 08:47:14 +0100
> Romain De Rasse<r.derasse at yahoo.fr>  wrote:
>> Hi,
>> I'm setting up an  IPSec VPN tunnel with a Juniper SSG140 appliance
>> and I'm having an issue. The Juniper type of IPSec VPN is route-based
>> Dialup VPN.
>> When the client device is connected to the VPN, it's still able to
>> access the local LAN even if I use an "IPsec Policy Manual
>> Configuration" along with this "Topology Entry" :
>> - Type : Include
>> - Address :
>> - Netmask :
>> Is there a way to prevent the connected client device from accessing
>> the local LAN ?
> Hi roms,
> When you do a route-based VPN on NetScreen, that can be made into a
> bi-directional tunnel.  You should try doing a traceroute (tracert in
> Windows CMD prompt) to see if your traffic is actually going out to the
> gateway and then coming back. If that is what is happening, then you
> need to put a rule preventing the local LAN access on the NetScreen.
> Alternatively, is there a chance that you have both a wired and
> wireless connection on your PC, and that the local LAN access is
> happening via the other adapter?
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
Hi Kevin,

thanks for your answer. Id did a traceroute and I'm sure that the ping 
doesn't enter the tunnel and then comes back in the local lan through 
the tunnel.
The wireless adapter of my laptop is desactivated.

I found a solution, but it's not a good one : in order to prevent the 
local LAN access, there must be a route with next hop in the tunnel 
(that is, an Include Topology Entry) which match more precisely the 
local traffic than the directly connected route I can see using the 
"route print" dos command.

For example, a client in the LAN must have this Topology 
Entries (or something like that I tried it at work yesterday I'm not 
sure about the details) :

- Type : Include
- Address :
- Netmask :


- Type : Include
- Address :
- Netmask :

This is a bad solution for me because the clients will be located in a 
lot of different local LAN address plans, and the configurations of the 
clients has to be the same in order to perform simple remote automatic 
installation. Moreover the users are not administrators, it will cause a 
lot of problems if they have to perform this little part of the 

I should check the source code and try to adapt it  :) but I'm running 
out of time.

Thanks anyway.


More information about the vpn-help mailing list