VPN and the Net: I want them both at the same time!
August 26, 2007 3:31 PM Subscribe
VPN/Airport Express Filter: Here's my sad problem: I have Verizon Fiber Optics. Their modem is connected to my Apple Express via Ethernet. When I successfully connect to my office network via VPN I can no longer connect to the rest of the Internet. When I disconnect VPN I can immediately reconnect to the Internet...
What's apparently happening is that the tunneling feature of the Express doesn't seem to be working correctly (tunneling allows one to establish a secure network connection while still remaining connected to the unsecure Internet).
To test the source of my problem I connected my iBook directly to my Verizon modem and everything worked fine (I could connect via VPN AND to the rest of the net). However, when I went back to using my Airport Express the problem returned. According to Apple tunneling is by default turned on, but I just got a replacement Express and the problem persists (so I figure it's unlikely that I have a defective Express).
My work created a tunnel on their end as a test so that, theoretically, I should be able to have it both ways (VPN and Net) but that didn't work. A long call to Apple Support didn't yield anything and a long call to my work's tech staff didn't either.
Now what?
What's apparently happening is that the tunneling feature of the Express doesn't seem to be working correctly (tunneling allows one to establish a secure network connection while still remaining connected to the unsecure Internet).
To test the source of my problem I connected my iBook directly to my Verizon modem and everything worked fine (I could connect via VPN AND to the rest of the net). However, when I went back to using my Airport Express the problem returned. According to Apple tunneling is by default turned on, but I just got a replacement Express and the problem persists (so I figure it's unlikely that I have a defective Express).
My work created a tunnel on their end as a test so that, theoretically, I should be able to have it both ways (VPN and Net) but that didn't work. A long call to Apple Support didn't yield anything and a long call to my work's tech staff didn't either.
Now what?
Wow. I've been doing it the stupid way (route delete default, route add etc etc etc) for years now. Thank you sbutler!
posted by dmd at 4:12 PM on August 26, 2007
posted by dmd at 4:12 PM on August 26, 2007
You may be able to do this via the VPN settings as well. Unfortunately, I am not so familiar with Macs. In $windows, there is a setting called "Use default gateway on remote network". With that checked (on) your Internet traffic will go through your company's network.
posted by kellyblah at 4:38 PM on August 26, 2007
posted by kellyblah at 4:38 PM on August 26, 2007
Response by poster: sbutler, I see where I need to make that change. However I never set up any network details using the VPN portion of Internet Connect. I just connected to VPN via Cisco's client. I just wanted to make that clear if it makes a difference.
posted by Taken Outtacontext at 4:51 PM on August 26, 2007
posted by Taken Outtacontext at 4:51 PM on August 26, 2007
Are you sure that your office allows split tunneling when on a VPN? Split tunneling is allowing a machine to route traffic to both the local network and the VPN, and can be a major security risk, so, for a lot of VPN clients, it's disabled by default. (The reason for this is that if someone on the local network were to compromise your system while you were connected to the VPN, said malicious hax0r would immediately have access to your corporate network, which is, as they say, bad pookies.) Check with your office VPN administrators to see if they have split tunneling enabled or disabled.
posted by jferg at 4:57 PM on August 26, 2007
posted by jferg at 4:57 PM on August 26, 2007
Response by poster: Well, it was working fine (split tunneling) before I got my Airport Express. And, it works fine when I am connected directly to my Verizon modem (not going through the Express).
posted by Taken Outtacontext at 4:59 PM on August 26, 2007
posted by Taken Outtacontext at 4:59 PM on August 26, 2007
My bet: your Airport Express is creating a behind-the-device network that has the same exact IP address space as your office's network, and that's causing you the problems you describe. Let's see if I can explain this; skip to the bottom of my answer for how you can probably fix it.
Your FIOS modem gives you a single IP address, an address that's on Verizon's network (so let's say it's address 128.1.1.99 or something like that). When you plug your iBook directly into the modem, your iBook gets that address. When you surf the net, your iBook knows how to contact the "next hop", or gateway, which is somewhere on Verizon's network -- that's because when your FIOS modem gave it its IP address, it also told it what the address to this machine is, and your computer knows that in order to contact every other machine on Earth (pretty much), it needs to send packets to that gateway machine. When you connect to your VPN, the Cisco VPN software contacts your company's VPN server, sets up the tunnelled connection, and gives your iBook an address on your company's internal network as well -- let's say 10.0.1.99. The VPN server also tells your iBook what the gateway machine for your company's network is (let's say it's 10.0.1.1). After all that configuration happens, your iBook then knows that to contact machines on your company's network, it should contact that gateway and to contact any machine NOT on your company's network, it should instead contact the gateway on the Verizon network.
Now, let's say that you plug your Airport Express into the FIOS modem instead. When you do this, the FIOS modem gives that 128.1.1.99 address to the Airport Express rather than your iBook. Because you only have that one IP address, your Airport Express needs to set up a "private" network -- so on one side of your AE sits the Internet (via the FIOS modem), and on the other side of your AE sits your own private network. When you connect your iBook to your AE network, your AE gives it an address on this network, and also tells your iBook that the AE itself should serve as the gateway for all its traffic. This all makes sense. But, what happens if your AE happens to be configured to use the same address space as your corporate network? That is to say, what happens if your AE sets up its private network using the address space 10.0.1.1 through 10.0.1.255, meaning that it takes the address 10.0.1.1 for itself and gives your iBook the address 10.0.1.99 (or whatever)? What it'd mean is that when you connect to your corporate network, you get another address in the 10.0.1.whatever space, and when the VPN tells your iBook to use the address 10.0.1.1 for the gateway, your iBook gets confused about whether it should use the 10.0.1.1 on your corporate network or the 10.0.1.1 that's your Airport Express. (There's a lot more technical here that could be said to elucidate on the "confused" part... suffice it to say that it's possible to set priorities for your network interfaces, but if that were set up right in your case, you wouldn't be having problems.)
OK, enough -- how do you fix it? Go into the Airport administration app, click on the "Internet" icon at the top of the configuration pane for your AE, then click on the "DHCP" tab, and look at what the "DHCP Range" pull-down menu is currently set to. After writing this down (in case you need to go back to it), change to one of the other options -- e.g., if it's currently set to "10.0.", change to "192.168." or "172.16". That should be enough to move you completely out of the space that your VPN is using. Save the changes, let your AE reboot, and try using the VPN and the internet at the same time again.
And be sure to report back -- this is a common-enough problem that I'm surprised your help desk didn't know about it (and that Apple didn't ask about it), so if it works it might help some other people 'round here.
posted by delfuego at 6:28 PM on August 26, 2007
Your FIOS modem gives you a single IP address, an address that's on Verizon's network (so let's say it's address 128.1.1.99 or something like that). When you plug your iBook directly into the modem, your iBook gets that address. When you surf the net, your iBook knows how to contact the "next hop", or gateway, which is somewhere on Verizon's network -- that's because when your FIOS modem gave it its IP address, it also told it what the address to this machine is, and your computer knows that in order to contact every other machine on Earth (pretty much), it needs to send packets to that gateway machine. When you connect to your VPN, the Cisco VPN software contacts your company's VPN server, sets up the tunnelled connection, and gives your iBook an address on your company's internal network as well -- let's say 10.0.1.99. The VPN server also tells your iBook what the gateway machine for your company's network is (let's say it's 10.0.1.1). After all that configuration happens, your iBook then knows that to contact machines on your company's network, it should contact that gateway and to contact any machine NOT on your company's network, it should instead contact the gateway on the Verizon network.
Now, let's say that you plug your Airport Express into the FIOS modem instead. When you do this, the FIOS modem gives that 128.1.1.99 address to the Airport Express rather than your iBook. Because you only have that one IP address, your Airport Express needs to set up a "private" network -- so on one side of your AE sits the Internet (via the FIOS modem), and on the other side of your AE sits your own private network. When you connect your iBook to your AE network, your AE gives it an address on this network, and also tells your iBook that the AE itself should serve as the gateway for all its traffic. This all makes sense. But, what happens if your AE happens to be configured to use the same address space as your corporate network? That is to say, what happens if your AE sets up its private network using the address space 10.0.1.1 through 10.0.1.255, meaning that it takes the address 10.0.1.1 for itself and gives your iBook the address 10.0.1.99 (or whatever)? What it'd mean is that when you connect to your corporate network, you get another address in the 10.0.1.whatever space, and when the VPN tells your iBook to use the address 10.0.1.1 for the gateway, your iBook gets confused about whether it should use the 10.0.1.1 on your corporate network or the 10.0.1.1 that's your Airport Express. (There's a lot more technical here that could be said to elucidate on the "confused" part... suffice it to say that it's possible to set priorities for your network interfaces, but if that were set up right in your case, you wouldn't be having problems.)
OK, enough -- how do you fix it? Go into the Airport administration app, click on the "Internet" icon at the top of the configuration pane for your AE, then click on the "DHCP" tab, and look at what the "DHCP Range" pull-down menu is currently set to. After writing this down (in case you need to go back to it), change to one of the other options -- e.g., if it's currently set to "10.0.", change to "192.168." or "172.16". That should be enough to move you completely out of the space that your VPN is using. Save the changes, let your AE reboot, and try using the VPN and the internet at the same time again.
And be sure to report back -- this is a common-enough problem that I'm surprised your help desk didn't know about it (and that Apple didn't ask about it), so if it works it might help some other people 'round here.
posted by delfuego at 6:28 PM on August 26, 2007
Oh, and note that if when your Airport Express reboots, you might have to disconnect and reconnect your iBook from it -- since the AE will change addresses, your iBook needs to get a new address from it, and sometimes the only way to make that happen is to have your iBook reconnect to it.
posted by delfuego at 6:31 PM on August 26, 2007
posted by delfuego at 6:31 PM on August 26, 2007
Response by poster: Thanks, delfuego, I will check this out.
posted by Taken Outtacontext at 12:18 PM on August 27, 2007
posted by Taken Outtacontext at 12:18 PM on August 27, 2007
Response by poster: delfuego, I am looking at my Airport Admin Utility. All's well until your direction to having me click on the DHCP tab under the Internet section and look at the DHCP range. I don't see that. My config is set to "Using DCHP and I see the IP Address, Subnet Mask, Router Address, and DNS Servers fields.
However, under the Network section "Distribute IP Addresses" is checked and my config is set at "Share a single IP address (using DCHP and NAT) and that is set to "10.0.1.1 addressing." The choice to "share a range of IP addresses" is not selected.
Is this what you are talking about?
posted by Taken Outtacontext at 4:31 AM on August 28, 2007
However, under the Network section "Distribute IP Addresses" is checked and my config is set at "Share a single IP address (using DCHP and NAT) and that is set to "10.0.1.1 addressing." The choice to "share a range of IP addresses" is not selected.
Is this what you are talking about?
posted by Taken Outtacontext at 4:31 AM on August 28, 2007
Sorta -- I guess our versions of the Airport admin util are different (mine's the one that came with the new Airport Extreme base stations, but it works fine with the Airport Expresses as well). That setting you describe is the one for how you dole out addresses to all the clients on your network; what you're looking for is the setting for the actual address of your private network. That'll give you the ability to change that 10.0.X.X addressing -- you're looking for the option that'll let you change that to 172.16.X.X or 192.168.X.X addressing. It'll be there somewhere, I remember the setting from back before I had these new Extreme base stations.
I just tried to breeze through Google Images for a picture of the right screen, but I'm coming up blank.
posted by delfuego at 5:00 AM on August 28, 2007
I just tried to breeze through Google Images for a picture of the right screen, but I'm coming up blank.
posted by delfuego at 5:00 AM on August 28, 2007
This thread is closed to new comments.
1) Open Internet Connect
2) Click on the VPN toolbar icon
3) Open the menu "Connect" -> "Options"
There's a check box for "Send all traffic through VPN" (or something like that). Make sure it is unchecked.
posted by sbutler at 3:47 PM on August 26, 2007