Printing at home whilst connected to a VPN (Cisco)

[Axel]

Good evening to the wise-ones at Neowin.

I am attempting to set up my dads laptop so that it can print through the home network regardless of whether he is connected to his companies VPN or not. Now whilst it might not be such a big deal to click the disconnect button, print and then reconnect - I am always a fan of having things run as smoothly as possible!

I followed a guide here to no avail.

I'll add that his laptop is using XP pro and my PC (serving the printer) is on 7 Home Premium.

My PC is automatically assigned the 192.168.0.2 IP address whilst the router obviously gets the first slot.

I attempted add a persistant route via cmd on his laptop using this:

route -p add 192.168.0.2 MASK 255.255.255.255 192.168.0.1

Although typing "route print" shows that it has indeed been added as a persistant route, I still get a "request timed out" message if I attempt to ping my machine (192.168.0.2).

Any clues????

[+BudMan MVC]

Most likely your cicso vpn is setup to not allow split tunnel, ie while connected to the vpn your only allowed access to the vpn network.

you can view this setting in the vpn client. Look at the props of your connection -- if not set to allow local, your out of luck - adding routes wont do any good.

Now you can try allowing it - but the vpn server you connect to force whatever settings it wants, etc.

edit: if this is the case, your going to need to directly connect the printer to his machine to be able to print while connected to the vpn. Or have to print to say xps or pdf, etc. Then later can print that to paper.

[Axel]

Most likely your cicso vpn is setup to not allow split tunnel, ie while connected to the vpn your only allowed access to the vpn network.

you can view this setting in the vpn client. Look at the props of your connection -- if not set to allow local, your out of luck - adding routes wont do any good.

Now you can try allowing it - but the vpn server you connect to force whatever settings it wants, etc.

edit: if this is the case, your going to need to directly connect the printer to his machine to be able to print while connected to the vpn. Or have to print to say xps or pdf, etc. Then later can print that to paper.

Thanks for the prompt reply! I had a look through the settings earlier and noticed that this option is definitely ticked.

Edit: I just tried changing the subnet mask in the route to 255.255.255.0 (as that is what is listed in ipconfig) and I get a message telling me that the mask is invalid. However it will accept the route with a mask of 255.255.255.255?

Please forgive my utterly novice networking knowledge!

[+BudMan MVC]

so it is ticked -- then you should be able to get local access. Should not even need to add a route.

If your computer is on the same network you would not need a route, he would have an interface already on that network..

You only need route when not on your local segment.

edit: I would remove that route you put in, so when not on vpn you can ping printer ip.. But when connected to vpn not able to ping? What is the vpn network your getting?? What is the route the vpn is using?

Where you can run into issues - if the vpn network your connecting to is the same as your local network.

So for example, home network 192.168.0.0/24 and work network is 192.168.0.0/24 -- going to have problems!! If work is using the same network, change your home network to be say 192.168.1.0/24 on your router --- so now all devices on your network would get 192.168.1.0 mask 255.255.255.0 -- routers lan IP would be for example 192.168.1.1

[Axel]

Connected to VPN:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 8b cf 34 7c ...... Broadcom NetXtreme 57xx Gigabit Controller - Tee
fer2 Miniport
0x3 ...00 1b 77 18 b9 91 ...... Intel(R) PRO/Wireless 3945ABG Network Connection
 - Teefer2 Miniport
0x70005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Teefer2 Miniport

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    172.17.180.46   172.17.180.46       1
       10.100.2.0    255.255.255.0      192.168.0.1     192.168.0.4       1
     64.208.86.69  255.255.255.255      192.168.0.1     192.168.0.4       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
       172.17.0.0      255.255.0.0    172.17.180.46   172.17.180.46       25
    172.17.180.46  255.255.255.255        127.0.0.1       127.0.0.1       25
   172.17.255.255  255.255.255.255    172.17.180.46   172.17.180.46       25
      192.168.0.0    255.255.255.0      192.168.0.4     192.168.0.4       25
      192.168.0.0    255.255.255.0    172.17.180.46   172.17.180.46       1
      192.168.0.1  255.255.255.255      192.168.0.4     192.168.0.4       1
      192.168.0.4  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.0.255  255.255.255.255      192.168.0.4     192.168.0.4       25
      192.168.1.0    255.255.255.0      192.168.0.1     192.168.0.4       1
    192.168.254.0    255.255.255.0      192.168.0.1     192.168.0.4       1
        224.0.0.0        240.0.0.0    172.17.180.46   172.17.180.46       25
        224.0.0.0        240.0.0.0      192.168.0.4     192.168.0.4       25
  255.255.255.255  255.255.255.255    172.17.180.46   172.17.180.46       1
  255.255.255.255  255.255.255.255      192.168.0.4               2       1
  255.255.255.255  255.255.255.255      192.168.0.4     192.168.0.4       1
Default Gateway:     172.17.180.46
===========================================================================
Persistent Routes:
  None

Disconnected:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 8b cf 34 7c ...... Broadcom NetXtreme 57xx Gigabit Controller - Tee
fer2 Miniport
0x3 ...00 1b 77 18 b9 91 ...... Intel(R) PRO/Wireless 3945ABG Network Connection
 - Teefer2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.4       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0      192.168.0.4     192.168.0.4       25
      192.168.0.4  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.0.255  255.255.255.255      192.168.0.4     192.168.0.4       25
        224.0.0.0        240.0.0.0      192.168.0.4     192.168.0.4       25
  255.255.255.255  255.255.255.255      192.168.0.4               2       1
  255.255.255.255  255.255.255.255      192.168.0.4     192.168.0.4       1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None

Does that give any clues or is their another way I can find out?

Again, many thanks.

[+BudMan MVC]

Hmmmm --- seems odd, why do your have routes to 192.168.1/24, 192.168.254/24 and 10.100.2/24 all pointing your 192.168.0.1 router?

But see this route

192.168.0.0 255.255.255.0 172.17.180.46 172.17.180.46

This looks to me to be your vpn connection - so your table is saying the 192.168.0.0/24 network is on the other end of the vpn connection. As well as the 172.17/16 network

The metric using the 172.17.180.46 interface is lower to get to the 192.168.0/24 then your own local interface. So I would say traffic would go down the vpn vs just using the local interface to access.

edit: ok must of missed the disconnected table.. So I would guess that the vpn client is saying to connect 10.100, 192.168.254, etc. to stay local.. But to get to the 192.168.0 or 172.17 use the vpn.. So I would change your local network to be say the 192.168.2/24

[Axel]

Hmmmm --- seems odd, why do your have routes to 192.168.1/24, 192.168.254/24 and 10.100.2/24 all pointing your 192.168.0.1 router?

But see this route

192.168.0.0 255.255.255.0 172.17.180.46 172.17.180.46

This looks to me to be your vpn connection - so your table is saying the 192.168.0.0/24 network is on the other end of the vpn connection. As well as the 172.17/16 network

The metric using the 172.17.180.46 interface is lower to get to the 192.168.0/24 then your own local interface. So I would say traffic would go down the vpn vs just using the local interface to access.

edit: ok must of missed the disconnected table.. So I would guess that the vpn client is saying to connect 10.100, 192.168.254, etc. to stay local.. But to get to the 192.168.0 or 172.17 use the vpn.. So I would change your local network to be say the 192.168.2/24

I presume those are pointed there as the router is still serving the internet connection regardless - but whats odd about that is I can't even ping the router itself whilst connected to the VPN.

I'm sorry I didn't understand the second part. Are you saying that those values will prioritise particular routes over others?

EDIT:

Hmmmm --- seems odd, why do your have routes to 192.168.1/24, 192.168.254/24 and 10.100.2/24 all pointing your 192.168.0.1 router?

But see this route

192.168.0.0 255.255.255.0 172.17.180.46 172.17.180.46

This looks to me to be your vpn connection - so your table is saying the 192.168.0.0/24 network is on the other end of the vpn connection. As well as the 172.17/16 network

The metric using the 172.17.180.46 interface is lower to get to the 192.168.0/24 then your own local interface. So I would say traffic would go down the vpn vs just using the local interface to access.

edit: ok must of missed the disconnected table.. So I would guess that the vpn client is saying to connect 10.100, 192.168.254, etc. to stay local.. But to get to the 192.168.0 or 172.17 use the vpn.. So I would change your local network to be say the 192.168.2/24

Okay I'll give it a shot!

[+BudMan MVC]

Yes the metric determines which interface to use if there are multiple routes to get there.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx?mfr=true

metric Metric : Specifies an integer cost metric (ranging from 1 to 9999) for the route, which is used when choosing among multiple routes in the routing table that most closely match the destination address of a packet being forwarded. The route with the lowest metric is chosen. The metric can reflect the number of hops, the speed of the path, path reliability, path throughput, or administrative properties.

"I presume those are pointed there as the router is still serving the internet connection regardless"

But those are all private ranges -- internet is useless to get to those networks. Notice when your connected, the default route changes to your 172.x.x.x interface -- so all traffic that going to an IP there is no route for would go through your vpn connection..

I would have to assume those the vpn is handing out those routes -- not sure why exactly?

[Axel]

Still no luck unfortunately...

I've set the router to assign IP's starting with 192.168.2.2 etc. I've double checked my machine and it is assigned that IP address... unfortunately when I attempt to ping it again from the laptop I still get a timed out response when connected to the VPN.

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 8b cf 34 7c ...... Broadcom NetXtreme 57xx Gigabit Controller - Tee
fer2 Miniport
0x3 ...00 1b 77 18 b9 91 ...... Intel(R) PRO/Wireless 3945ABG Network Connection
 - Teefer2 Miniport
0xc0005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Teefer2 Miniport

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    172.17.180.13   172.17.180.13       1
       10.100.2.0    255.255.255.0      192.168.2.1     192.168.2.4       1
     64.208.86.69  255.255.255.255      192.168.2.1     192.168.2.4       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
       172.17.0.0      255.255.0.0    172.17.180.13   172.17.180.13       25
    172.17.180.13  255.255.255.255        127.0.0.1       127.0.0.1       25
   172.17.255.255  255.255.255.255    172.17.180.13   172.17.180.13       25
      192.168.1.0    255.255.255.0      192.168.2.1     192.168.2.4       1
      192.168.2.0    255.255.255.0      192.168.2.4     192.168.2.4       25
      192.168.2.0    255.255.255.0    172.17.180.13   172.17.180.13       1
      192.168.2.1  255.255.255.255      192.168.2.4     192.168.2.4       1
      192.168.2.4  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.2.255  255.255.255.255      192.168.2.4     192.168.2.4       25
    192.168.254.0    255.255.255.0      192.168.2.1     192.168.2.4       1
        224.0.0.0        240.0.0.0    172.17.180.13   172.17.180.13       25
        224.0.0.0        240.0.0.0      192.168.2.4     192.168.2.4       25
  255.255.255.255  255.255.255.255    172.17.180.13               2       1
  255.255.255.255  255.255.255.255    172.17.180.13   172.17.180.13       1
  255.255.255.255  255.255.255.255      192.168.2.4     192.168.2.4       1
Default Gateway:     172.17.180.13
===========================================================================
Persistent Routes:
  None

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 8b cf 34 7c ...... Broadcom NetXtreme 57xx Gigabit Controller - Tee
fer2 Miniport
0x3 ...00 1b 77 18 b9 91 ...... Intel(R) PRO/Wireless 3945ABG Network Connection
 - Teefer2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.4       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.2.0    255.255.255.0      192.168.2.4     192.168.2.4       25
      192.168.2.4  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.2.255  255.255.255.255      192.168.2.4     192.168.2.4       25
        224.0.0.0        240.0.0.0      192.168.2.4     192.168.2.4       25
  255.255.255.255  255.255.255.255      192.168.2.4               2       1
  255.255.255.255  255.255.255.255      192.168.2.4     192.168.2.4       1
Default Gateway:       192.168.2.1
===========================================================================
Persistent Routes:
  None

Also the result of pinging the router itself connected and disconnected:

C:\Documents and Settings\cholland>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 192.168.2.1: bytes=32 time=24ms TTL=64
Reply from 192.168.2.1: bytes=32 time=3ms TTL=64
Reply from 192.168.2.1: bytes=32 time=3ms TTL=64
Reply from 192.168.2.1: bytes=32 time=3ms TTL=64

Ping statistics for 192.168.2.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 24ms, Average = 8ms

C:\Documents and Settings\cholland>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

[+BudMan MVC]

Well from your route table its still saying to use the vpn interface

192.168.2.0 255.255.255.0 192.168.2.4 192.168.2.4 25

192.168.2.0 255.255.255.0 172.17.180.13 172.17.180.13 1

Notice the 1 metric, that is going to over ride any other route you put in there.

Im on a cisco vpn now.. Let me me see if I can set the allow local access? Like I was saying -- even if you check that its possible the vpn server is not allowing it.. I will check with my connection, since I know for sure they do not allow split tunnel. And see if it will let me check the box, even though not working. BRB.

edit: Yeah I double checked with my client -- and even if you check the allow, its got to be setup on the vpn server side..

example

So does not matter if you check it on your client or not -- going to need the admins of the vpn to allow it.. So you would see something like this on the clients under stats routes.

Edited June 14, 2010 by BudMan

[Axel]

Well from your route table its still saying to use the vpn interface

192.168.2.0 255.255.255.0 192.168.2.4 192.168.2.4 25

192.168.2.0 255.255.255.0 172.17.180.13 172.17.180.13 1

Notice the 1 metric, that is going to over ride any other route you put in there.

Im on a cisco vpn now.. Let me me see if I can set the allow local access? Like I was saying -- even if you check that its possible the vpn server is not allowing it.. I will check with my connection, since I know for sure they do not allow split tunnel. And see if it will let me check the box, even though not working. BRB.

Cheers man.

[Axel]

edit: ?Yeah I double checked with my client -- and even if you check the allow, its got to be setup on the vpn server side..

example

So does not matter if you check it on your client or not -- going to need the admins of the vpn to allow it.. ?So you would see something like this on the clients under stats routes.

So I take it from that screenshot it has to be set up for specific LAN IPs as well. In that case I presume it might be a case of finding out which LAN ranges they have it set up for (if any).

Again, thanks very much for your help and your time. It's very much appreciated!

[+BudMan MVC]

yeah take a look when your connected, does it show local lan routes? In the cisco client - for example that 10.100 network I saw, or the 192.168.254 network If so just change your local lan to match one of those ;)

[Axel]

Thanks for all your help - unfortunately I can't test anything else at the moment as my dad is working away, and then I am on holiday next week so I will have to get back to this issue after next Friday.

Again, thanks so much for your time.

[+BudMan MVC]

no problem -- I understand your pain, should not have to disconnect to print ;) Let me know if you need more help -- but its going to come down to it that if they do not allow it, it your out of luck. Just need to hope they allowing access to some local networks, and you can just change your network to be on that ip space.