weird cisco vpn problem!

[scottyman]

My Dad has just got here from NZ, and his laptop is playing silly buggers -
using a cisco vpn client to get access to his office in Canberra, where the their cisco vpn seems to be set to disable local net access.
does anyone know of a way around without having to get the head of IT over there out of bed?
I set him up with a network printer in his home office which works quite cheerfully there, and the local subnet addressing is exactly the same (hey, I like consistency!) his local IP is the same - and for some reason the vpn client is blocking access to my network printer!

[Moby-Dick]

I suspect thats a "feature" of the way the Cisco VPN is set up.

with a regular PPTP type VPN you can just tell it not to use the default gsteway on the local network , but i have a feeling that the cisco client takes over your whole networking and will *only* allow traffic down the secure tunnel.

You'd be better of connecting your printer locally ( if your dad has sufficient admin rights )

[RVF500]

A client VPN should only tunnel from the NIC on the client device, in this case your dad's laptop, to the far end which I assume will be the firewall. If you are going from the NIC to a switch and then out it may be that the the VPN tunnel is passing packets through and heading straight off to the firewall and anything passing through the port for the printer is encrypted so the printer won't recognise it. Packets for the printer may be being routed this way too and not being allowed back to the printer.

The easiest way to do things if you are having issues is to do as moby says and connect the printer locally unless you install a second NIC into the laptop and create a second network for the printer.

[Moby-Dick]

RVF , have you had a play with the Novel VPN client ? Last time I saw it , it would only route packets from the NIC down the tunnel , the client wouldn't access the local network at all ( I'm assuming it modifies the local routing table for this ? )

From a security point of view , having VPN connected clients accessing the web from the client end of the tunnel isn't as secure as having all their traffic running down the tunnel and allowing web access via a server side proxy ( slow, but it means that all traffic in/out of the client is encrypted )

It may be worth seeing if there is a proxy for scottymans dad to use on the NZ side and do any web surfing via that ( or just drop the tunnel when you want to browse ! )

[scottyman]

yeah - it's a hassle as has to use it to get access to the notes client...
will see if I can configure the printer wirelessly and will see if that helps - another option is to unbind (forget which one) one of the two ipsec policies that it applies - apparently the remote vpn settings can force application of two incompatible ipsec policies which can allow it to happen. very strange - will see what happens.
annoyingly, without getting access to the rules, I can't tell which settings and netmask are allowed!

[Paul Adams]

My dad had exactly this problem when he connected to the office from home, he spoke to me about it asking for advice but it seemed that indeed, all traffic was going through the VPN tunnel when it was established, so he could not print locally.

This was the first time I'd heard of this, as my VPN (SecuRemote) only tunnels traffic for subnets defined in the VPN topology in the client - so long as your local subnet and remote subnet are different then it doesn't try to route local traffic.

I can only guess it's maybe a security feature within the client (or possibly defined at the connecting end?) to prevent hijacking of data at the client end and sending elsewhere?

I can only suggest a second NIC if the printer has to remain network connected, or connect it locally as others have suggested.


(I used the Novell VPN client a couple of years ago, but it was over a dial-up connection - the laptop was LAN-connected at the same time, though so a multiple NIC setup should still resolve the issue.)

[Moby-Dick]

what about notes web access ?

http://intarwebservername.com/mail/mailboxdatafile.nsf ?