Our company has a handful of field offices that have recently been setup with a regular internet connection after we removed the T1 and router that connected them directly to our network. Now, when the users are in the office, they log in to the VPN to be able to connect to the network.
For the sake of them being able to print and scan from the local multi-function we have setup a split tunnel VPN. We currently have about 15-20 users using this setup around the country without any problems.
Recently one of our users started having problems accessing internal programs/sites when connecting from both home and the office. There are three other users in the same office and they do not have this problem. I assumed that it was something with the computer and went ahead and replaced it with another of the same model. The computer worked fine in our home office; however, when the user received it, she had the exact same problem both at home and in the field office.
Thinking it may be a NIC driver issue I sent her another computer, this time a different model, same problem occurred.
If I update the host file to point to the correct paths, things will work, and if I connect via a normal VPN connection everything works, but the user cannot scan or print – which is a problem. Have tried to find ways to create another tunnel on a normal VPN and have tried to find ways to force the correct tunnel on the split tunnel VPN.
It appears that there is something related to the ISP because if I connect to Comcast or Verizon it is fine but once she connects to Insite then she has problems. I have been unable to get any support from Insite as they don't feel the issue is with them. We use a Nortel VPN client.
Any thoughts or ideas would be appreciated.
Best Answer
This will definitely be dependent on the VPN client you use.
At our site we use 2003 server with RRAS for VPN connections and I had similar issues that I resolved by making a custom VPN "connectoid" using the microsoft CMAK (connection manager administration kit)
I used this guide while creating the client http://www.isaserver.org/tutorials/work-around-VPN-clients-split-DNS.html It helped me to get clients to connect, use DNS servers at the office for name resolution but also allows all internet destined traffic to use the local gateway properly.
Your issues, if they are like mine, have to do with 2 things.
VPN connections are low on the bind order for DNS in windows by default. This means that it will favor your local LAN DNS servers over your VPN connections servers unless you tell windows to favor your VPN connection over the others.
Dns resolution isn't working properly because no DNS suffix is specified for the VPN connection. Even if you are looking at the right DNS servers, if no search suffix is configured for that link the machine will fail to convert the name "server" to "server.domain.com" when performing a lookup. unless you reference everything using fqdn, which I have never seen in practice, this could be a show-stopper as well.
Hopefully the guide for the 2003 CMAK kit and this information will help you to get the nortel client working in your environment.
HOWEVER, another option for these networks is to use a gateway that can do IPsec with your main site so that users aren't required to connect using individual VPN connections while they are at any of your sites. PFsense is a great BSD based firewall/router distro that has done an amazing job for me in the past. I've used PFsense in production to pipe 150+ users over an IPsec connection with a cisco device on the other end and it didn't even bat an eye.
Get back with more information if you think I have mis-understood your issue!