You Cannot Connect to the Internet After You Connect to a VPN Server

After you use a Virtual Private Network (VPN) connection to log on to a server that is running Routing and Remote Access, you may be unable to connect to the Internet.

This issue may occur if you configure the VPN connection to use the default gateway on the remote network. This setting overrides the default gateway settings that you specify in your Transmission Control Protocol/Internet Protocol (TCP/IP) settings.

To resolve this issue, configure the client computers to use the default gateway setting on the local network for Internet traffic and a static route on the remote network for VPN-based traffic.

NOTE: Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

Step 1: Configure the Server That Is Running Routing and Remote Access to Use a Static IP Address Pool

Windows 2000 Server

1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
2. Right-click the server that is running Routing and Remote Access, and then click Properties.
3. Click the IP tab, click Static address pool, and then click Add.
4. Type the start of the Internet Protocol (IP) address range in the Start IP address box, type the end of the IP address range in the End IP address box, and then click OK.
   
   NOTE: Configure a pool of static IP addresses on a different network segment than the network segment on which the internal local area network (LAN) exists.
5. Click to select the Enable IP routing check box (if it is not already selected).
6. Click OK.
7. Enable TCP/IP forwarding. For additional information about how to enable IP forwarding, click the article number below to view the article in the Microsoft Knowledge Base:
   230082  (http://support.microsoft.com/kb/230082/EN-US/ ) How to Enable TCP/IP Forwarding in Windows 2000

Windows NT Server 4.0

1. Click Start, point to Settings, click Control Panel, and then double-click Network.
2. Click the Services tab, click Remote Access Service in the Network Services list, and then click Properties.
3. Click Network, click to select the TCP/IP check box (if it is not already selected), and then click Configure next to TCP/IP.
4. Click Use static address pool.
5. Type the start of the IP address range in the Begin box, type the end of the IP address range in the End box.
   
   NOTE: Configure a pool of static IP addresses on a different network segment than the network segment on which the internal LAN exists.
6. If you want to exclude a range of IP addresses from the static address pool, type the starting IP address of the range that you want to exclude in the From box, type the ending IP address of the range that you want to exclude in the To box, and then click Add.
7. Click OK, click OK, and then click Continue.
8. Click the Protocols tab, click TCP/IP Protocol, click Properties, click the Routing tab, and then click to select the Enable IP Forwarding check box (if it is not already selected).
9. Click OK, and then click Close.
10. Click Yes to restart the computer.

Step 2: Configure the VPN Client TCP/IP Properties

To disable the Use Default Gateway on Remote Network setting in the VPN dial-up connection item on the client computer:

1. Double-click My Computer, and then click the Network and Dial-up Connections link.
2. Right-click the VPN connection that you want to change, and then click Properties.
3. Click the Networking tab, click Internet Protocol (TCP/IP) in the Components checked are used by this connection list, and then click Properties.
4. Click Advanced, and then click to clear the Use default gateway on remote network check box.
5. Click OK, click OK, and then click OK.

Step 3: Connect to the Server That Is Running Routing and Remote Access

On the client computer, connect to the Internet, and then establish a VPN connection to the server that is running Routing and Remote Access.

NOTE: You cannot connect to resources on the remote network because you have disabled the Use Default Gateway on Remote Network setting in the VPN TCP/IP configuration.

Step 4: Add a Static Route on the Client

Add a static route on the client computer that uses the following configuration:

• The remote network is the destination.
• The correct subnet mask is used for the remote network.
• The first IP address from the static IP address pool that you configured in the "Step 1: Configure the Server That Is Running Routing and Remote Access to Use a Static IP Address Pool" section of this article is the gateway.
  
  NOTE: The Routing and Remote Access server assigns this first IP address to its wide area network (WAN) Miniport driver.

For additional information about how to add a static route, click the article number below to view the article in the Microsoft Knowledge Base: For example, to add a static route to a network that has the IP address of 192.168.10.0, the subnet mask of 255.255.255.0, and the gateway (the first IP address of the range assigned to the static IP address pool) of 192.168.1.1, type the following command at the command prompt, and then press ENTER: NOTE: If you use the -p switch with Windows 2000 or Windows NT 4.0, the route is made "persistent." Use this switch to ensure that the routing entry is preserved when the computer is restarted.

NOTE: The -p switch is not supported on either Microsoft Windows Millennium Edition-based, Microsoft Windows 98-based, or Microsoft Windows 95-based computers.

To work around this issue, create a batch file that contains the necessary route add command, and then configure it to run each time that a client connects to the VPN Server.

For additional information about how to use static routes, click the article number below to view the article in the Microsoft Knowledge Base: For additional information about how to configure a VPN server, click the article number below to view the article in the Microsoft Knowledge Base: