Markus Gaugusch wrote:
This is _not_ a good idea. All professional VPN software I know prohibits access to the internet while connected to the VPN. Even the cisco VPN client for linux does that! Most VPN clients also contain a small personal firewall that rejects all connections. If people need internet while using the VPN, tell them to use the proxy in your company.
Well, I don't think, this might cause any problems. First, the clients are behind a router and second, Windows does no forwarding by default. When talking about the classical roadwarrior scenario, where a single remote client dials into the internet and then starts the VPN, I would agree that this might include some potential danger. We are talking about a rather complex scenario where different clients at different locations behind (almost NAT-) routers with ADSL connections need a permanent VPN link to a central system mainly for voice over IP purposes. If the complete internet traffic of the remote clients would be routed through the ADSL connection, the bandwidth for VoIP would not be satisfactory. Besides the additional traffic cost... I myself would prefer to just replace the consumer style routers by professional VPN routers, put a static route to the remote LAN and a don't-forward-rule on and there we go. But the customer is not willing to pay e.g. a bulk of PIX 501 for the employees' home offices... So I have the fun to construct a working, secure (kinda) and Windows-enduser-compatible solution... Regards, Stefan