VPN and routing tables

[Allison]

I have the following scenario:
Corporate LAN (192.168.0.0 - 192.168.7.255)

|

|

|

| ----- (192.168.1.37)

ISA Server 2006 std. Up and running as a Firewall to accept VPN connections

| ----- (201.xxx.xxx.35)
I want my VPN clients can make remote control of your PC in the corporate, at this point, I have no problem, but you also want to surf but with their DSL connection, not VPN tunnel, that I have been clearing the option to "Use default gateway on remote network" in TCP / IP VPN connection. Now my clients effectively connect to the VPN and its connection to DSL Internet surfing without problems, but to do this I need to add a route in the routing tables of windows so that once connected to the VPN, the traffic to my segment 192.168.0.0 / 21 comes out of the virtual interface of the VPN, I do it with a profile created with CMAK connection, which does the following:

route add 192.168.0.0 mask 255.168.248.0 192.168.55.50

The question is that whenever I connect to my VPN IP Address I assign a separate client, within my DHCP range 192.168.7.0 / 24. Obviously when I disconnect from the VPN, if not the next connections 192.167.50 address assigned me, I have problems with the routing table that is added automatically, I get the following error message:

"Error in the addition of the route: The interface index is wrong or the gateway is not on the same network as the interface. Check the IP address table for the machine."

Because this is the error, obviously if the VPN connection I assigned the IP 192.168.7.68 and the route add command tries to get the traffic to the IP 192.168.7.50 give me the above error. Is there any way to load a path that does not necessarily have to pick up any IP Address? Also please provide some details about IPSec, since want some notes regarding it. Thanks in advance to all for taking the time at least read this.

[Aienstaien]

If you make a virtual private network (VPN) connection to certain non-Microsoft VPN servers, you may not be able to send data over the VPN connection. The problem also occurs if you are making a one-way dial-on-demand connection from a Windows 2000-based server that is running the Routing and Remote Access service to certain non-Microsoft VPN servers. You may be able to establish a VPN connection, but you do not have connectivity and the VPN connection is dropped after a time-out period. This problem only occurs when the VPN client is running one of the following programs:

• Windows 2000 that is using Internet Connection Sharing.
• Windows 2000 Professional that has the Incoming Connections functionality turned on.
• Windows 2000 Server that has Routing and Remote Access installed.

Standard Windows 2000-based VPN clients that are not running the Routing and Remote Access service do not experience this problem.

[Rixwel]

I would like to give some information about IPSec. IPSec is a protocol defined by IETF to secure the exchange at the network layer. It is actually a protocol to make improvements in security to IP to ensure the confidentiality, integrity and authentication of trade. Transport mode provides protection primarily higher level protocols:

• IPSec retrieves data from the layer 4 (TCP / transportation), signs and encrypts and sends to the layer 3 (IP / network). This allows it to be transparent between the TCP layer and IP layer and the coup of being relatively easy to implement.
  
• There are several drawbacks:
  
  
  • IP header is generated by the IP layer and thus IPSec can not control it in this case.
    
  • He can not hide the addresses to believe in a virtual LAN between two LANs connected
    
  • So this does not guarantee not to use options Ips unintended

[Wannabe]

IP Authentication Header (AH) manages,

• Integrity: ensures that the invariant fields during transmission, in the IP header preceding the AH header and data
• authentication to ensure that the sender is who he claims to be
• Protection against replay: a package intercepted by a hacker can not be returned
• it does not support confidentiality: data is signed but not encrypted

Confidentiality: data is encrypted encapsulated IP datagram. Authentication: it ensures that packets are good host with which it communicates (to know the key associated with the ESP to authenticate communication). Security Association (SA) defines the exchange of keys and security settings. There is a SA sense of communication. The security parameters are:

• AH protocol and / or ESP
  
• tunnel mode or transport
  
• the algorithm used to encrypt the security, integrity checking
  
• the keys used

[spuff]

The exchange of keys for data encryption in IPSec can be done in three ways:

• hand: not very practical
  
• IKE (Internet Key Exchange) is a protocol developed for IPSec. ISAKMP (Internet Security Association and Key Management Protocol) is the fundamental role is the enterprise (negotiation and implementation), amending and deleting SAs. It consists of two segments:
  
  
  • Initial you will have to generate a protected channel and authenticated through which we swap a secret key used to derive the phase 2.
  • the second allows to set up IPSec with its parameters and a SA in each direction of message. Data exchanged is secluded through the channel established in phase 1.