Subnet / VPN Problem - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Subnet / VPN Problem

Page 1 of 2

1

Topic Options

#192843 - 2009-03-12 05:10 PM Subnet / VPN Problem
aacajo aacajo Fresh Scripter Registered: 2009-02-13 Posts: 34 Loc: Canada	I've run in to a problem on my script. Some users in our corporation use VPN clients internally and externally. I have my logon script set up so that it looks at the 3rd octet of the subnet to determine what drives need to map as our remote offices are split up by the 3rd octet... The problem is the VPN gives an IP of 172.16.x.x and the internal address is 192.168.x.x. Is there a way to bypass the VPN address and look at the internal address? And if the internal address is a non private ip address map a certian set of drives (Connected with aircard)? Right now im using SELECT and CASE to split up the subnet mappings. Thanks again everyone has been very helpful here!
Top

#192844 - 2009-03-12 05:12 PM Re: Subnet / VPN Problem [Re: aacajo]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	if it was a network I control, I would fix the vpn, so it would give the correct IP's $\:\)$ _________________________ ! download KiXnet
Top

#192845 - 2009-03-12 05:52 PM Re: Subnet / VPN Problem [Re: Lonkero]
BradV BradV Seasoned Scripter Registered: 2006-08-16 Posts: 687 Loc: Maryland, USA	What do you get on a system with an active VPN when you issue "ipconfig /all" at a command prompt? I think it should list the VPN "adapter" separate from your local connection adapter. If so, just shell out and dump ipconfig /all to a file and then parse it in kixtart to get the information you need.
Top

#192846 - 2009-03-12 06:10 PM Re: Subnet / VPN Problem [Re: Lonkero]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	What makes you think the addresses are incorrect? Not everyone allows VPN connections directly to their primary network, nor does everyone have a flat address scheme. Our network uses 172.16 addresses at HQ and 172.17-18 at remote sites.. we have several security tiers with distinct VLANs. The VPN endpoints are in a 10.0.0.x network so they don't conflict with anything and can be quarrantined as necessary. The DMZ subnets are in 192.168.x.x range. As to the actual problem.. what you are saying either is in conflict or is incomplete.. You have a main office using 192.168.x.0 network(s). You have branch offices using 192.168.Y.0 networks, where "Y" represents one or more remote locations. RIGHT?? The branch locations have a network, right? Is the branch connected to the main office via a Site-Site VPN, or do individual users use VPN to connect? If you have a Site-Site VPN, the user's would have no clue as to the VPN addresses as they would have only local IPs, and your subnet detection running on the client workstations would work properly. If you're running some individual VPN connections, they would be treated differently and get a random VPN address. The local address would basically be meaningless, and would depend on where they were connecting from (home, StarBux, etc). You might be able to assign static VPN addresses and look them up based on that. You need to better describe your environment before we can provide accurate answers. What kind of VPN (MS, Cisco, other).. Individual or Site-Site, etc.. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#192847 - 2009-03-12 06:14 PM Re: Subnet / VPN Problem [Re: BradV]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	uhm. so I understood wrong? I thought he wanted the corporate subnet when the vpn subnet is separate. kind of like: office - 192.168.1.0 vpn - 172.16.129.0 homeLAN - 10.1.10.0 _________________________ ! download KiXnet
Top

#192848 - 2009-03-12 06:17 PM Re: Subnet / VPN Problem [Re: Glenn Barnas]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	glenn, did you respond to me? I see it's wrong if he can't use them like he wants to $;\)$ _________________________ ! download KiXnet
Top

#192850 - 2009-03-12 07:15 PM Re: Subnet / VPN Problem [Re: Lonkero]
aacajo aacajo Fresh Scripter Registered: 2009-02-13 Posts: 34 Loc: Canada	Alright branch offices are site to site VPN connections...but you're right internal users do not see that nore care about it as their traffic just goes through it. Thus the mappings for remote sites works fine. The ones having problems are using Netmobility Netmotion clients on their computers. Virtual adapter gives them the VPN address 172.16.x.x they also have an internal ip address of 192.168.x.x. Main office is also split based on floor on the 3rd octet. So 9th floor is 192.168.9.x and 10th floor is 192.168.10.x and so on....the branch offices are also unique identified by the 3rd octet. So they would have something like 192.168.72.x etc.. Sometimes the users are in the field sometimes they are in the office. The VPN on their workstations is always connected as they do not have permission to bypass it. VPN addresses are assigned by DHCP/Address pool in the subnet 172.16.x.x. This allows them to connect anywhere...whether it be on our network or from their hotel room/aircard. Problem is this: $subnet=VAL(SUBSTR(@IPAddress0,9,3)) If the 172.16.x.x address gives out the same 3rd octet as one of the internal addresses it will use the mapping for 192.168.Y.x where Y is the same as the 172.16.X.x. Is there possibly a way for it to bypass looking at the Virtual Adapter and just look at the local area connection address? Let me know if I need to clairfy I suck with words...Thanks again! P.S. I'll look up on the parsing I'm not really sure where to start with that
Top

#192851 - 2009-03-12 07:44 PM Re: Subnet / VPN Problem [Re: aacajo]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	oh. so your VPN clients have double private addresses at work... well, you should first match the ipaddressX: Code: $ipList = $ipAddress0,$ipAddress1,$ipAddress2,$ipAddress3 for each $ip $ipList if "192.168." = left($ip,8) $subnet=VAL(SUBSTR(@IPAddress0,9,3)) endif next but wouldn't this cause trouble when they are at home or somewhere where they also have same subnets? I think you should also check for some other info, as example dns suffix for the connection... _________________________ ! download KiXnet
Top

#192854 - 2009-03-12 08:35 PM Re: Subnet / VPN Problem [Re: Lonkero]
aacajo aacajo Fresh Scripter Registered: 2009-02-13 Posts: 34 Loc: Canada	Sorry for my newbie questions but what is the $ip for? And if I'm understanding this code right, it is going through each $ipAddress and checking if the first 8 characters are 192.168. If they are it sets the $subnet and moves on?
Top

#192856 - 2009-03-12 09:03 PM Re: Subnet / VPN Problem [Re: aacajo]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	Lonk's example is missing an "in".. $ip is the var that enumerates the elements of the $ipList array. You might want to try using InSubnet() Code: If InSubnet('192.168.12.243', '192.168.8.0/21') 'Is in subnet!' ? EndIf or even better, the IsInSubnet(), which takes an array of subnets and tells you which subnet a given IP is in.. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#192857 - 2009-03-12 09:14 PM Re: Subnet / VPN Problem [Re: Glenn Barnas]
aacajo aacajo Fresh Scripter Registered: 2009-02-13 Posts: 34 Loc: Canada	Very nice that will work! Thanks again!
Top

#192858 - 2009-03-12 09:16 PM Re: Subnet / VPN Problem [Re: aacajo]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	so, what was wrong with my example? other than the missing "in"? _________________________ ! download KiXnet
Top

#192860 - 2009-03-12 09:26 PM Re: Subnet / VPN Problem [Re: Lonkero]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	The problem with the typical Left/Right/SubStr method of IP subnet matching is that it doesn't scale at all, much less well, and doesn't take netmasks into account.. you need to match specific values. This results in lots of duplicate code for matching each possible network. With the two functions mentioned, you supply a host address, and a network address with an ARBITRARY netmask.. so - if you wanted to perform a task for anyone in the 192.168.8,9,10,or 11.x subnets, you could do Code: If InSubnet('192.168.12.243', '192.168.8.0/22') 'Is in subnet!' ? EndIf instead of hard coding 4 separate matches. This works even if these are four distinct networks with 255.255.255.0 netmasks. aacajo - make sure you download and install the appropriate UDF - InSubnet is on my web site, and IsInSubnet is here and on my site. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#192864 - 2009-03-13 10:21 AM Re: Subnet / VPN Problem [Re: Glenn Barnas]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	you're right. I just wanted to quickly respond instead of making proper teacher's approach $;\)$ _________________________ ! download KiXnet
Top

#192865 - 2009-03-13 12:47 PM Re: Subnet / VPN Problem [Re: Lonkero]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	Not a right/wrong approach, but a matter of flexibility. For example, my employer has over 250 locations in the US alone. We recently needed to install & configure email archiving, and deployed it by region. The 5 offices in the Pittsburgh area are considered "Western PA", and each has a /24 network in the 10.17/24-31.0 range. The assignments are not sequential, but only 5 networks are assigned. When we were ready to deploy, I simply obtained the IP address and did an InSubnet($IP, '10.17.24.0/21') to install the software. In a small network, ripping apart the IP and doing string or numeric comparisons will work fine, but as the network grows, it becomes unwieldy. The InSubnet UDFs actually convert the IP address of the host and network to decimal numbers, and convert the netmask to a number representing the network size, so it becomes easy to tell if the number representing the IP is between the beginning and ending network address ranges. Having multiple methods to solve a problem is great, from brute force to finesse, or something in-between. Not only does it offer a choice of solutions but illulstrates different methods - a training exercise always! Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#192866 - 2009-03-13 12:56 PM Re: Subnet / VPN Problem [Re: aacajo]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	Aacajo, The UDFs that I referenced will work well ONLY if you can obtain the correct IP address. Take a look at the NICInfo() UDF - latest code on my web site. It will return the IP info (along with much other data) for every physical network adapter. It specifically ignores pptp type adapters, WAN adapters, Parallel adapters, and so on, so it might be the best choice to find the physical adapter's IP. Pay close attention to the example in the code header, as the UDF returns an "array of arrays". you might try something like Code: $aNIC = NICInfo() For Each $Nic in $aNIC If Not InStr($Nic[0], 'VPN') ; not a VPN adapter $IPSettings = Split($Nic[7], ',') ; IP, Mask, Gateway * If IsInSubnet($IPSettings[0], $Networks) ; do stuff! EndIf EndIf Next * The IPSettings array might have multiple addresses separated by spaces.. if that's the case (which is very unlikely for workstations) you will need to split again and use the first IP. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#192867 - 2009-03-13 02:24 PM Re: Subnet / VPN Problem [Re: Glenn Barnas]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	glenn, the scrolling in your function library doesn't work correctly... looking at nicInfo() I have 3 vertical scrollbars. also, I just did similar stuff with vb... you could revisit the udf if you have time. the IPEnabled and iproutingmetric properties (not 100% sure on the names) for wmi are easy to pull and reveal if interface is used in tcpIP and in use. just a thought... _________________________ ! download KiXnet
Top

#192870 - 2009-03-13 03:25 PM Re: Subnet / VPN Problem [Re: Lonkero]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	Re: website.. I'll see if I can remove the vertical scrollbar from the iFrame, but the left scrollbar is for the dynamic list of UDFs, the right is from IE itself. I can see where the iFrame vertical scrollbar can be confusing, especially since it doesn't actually scroll. As for WMI, there's a corresponding WMINicInfo UDF.. I still use NICInfo with the registry scrapes because it's WAY FASTER for evaluating the local interfaces. WMINicInfo is more versatile as it works well locally or remotely, and often faster on remote systems, but I keep NicInfo around for local-only queries. Depends on the application. For aacajo's needs, NicInfo is appropriate as it's only looking at the local system. I'll take a look at the WMI stuff for the WmiNicInfo - should have time this weekend.. thanks for the ideas. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#192876 - 2009-03-13 08:44 PM Re: Subnet / VPN Problem [Re: Glenn Barnas]
aacajo aacajo Fresh Scripter Registered: 2009-02-13 Posts: 34 Loc: Canada	Hmm UDF...don't know why I ran off here thinking I knew what I was talking about.... So I'll try your UDF but Lonkero brought up a valid point. Since our internal addressing can be close to peoples home networks because most people tend to use the class C approach...I cannot match simply on IP address alone. I was going to also see if I could match on DNS suffix for the local area adapter. If not domain.com then skip mapping printers... I noticed this in the registry under HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces I could compare things to here to make it a bit easier but they keys are different per computer\interface making it hard... Does your UDF grab the dns suffix as well? I'll try and put it in my code and give it a shot I'll let you guys know. Thanks again so much for the help!
Top

#192877 - 2009-03-13 08:52 PM Re: Subnet / VPN Problem [Re: aacajo]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	There are two functions that return identical data - one via registry and one via WMI. Both return the following NIC Elements: 0 : Adapter Description 1 : Manufacturer 2 : NIC GUID 3 : Speed/Duplex value 4 : Speed/Duplex text 5 : Driver Version 6 : DHCP boolean (1=Use DHCP) 7 : IP settings (address,mask,gateway) , * 8 : Domain Info: Hostname;Connection;Primary;Search List , * 9 : DNS Server list 10 : DHCP Server, Lease Aquired, Lease Expires (if DHCP is enabled) 11 : WINS Server list 12 : Interface Name 13 : Fixed Name Servers 14 : Reserved for future use 15 : NIC Status (2=Ready,0=Disabled...) 16 : MAC Address - only if NIC is enabled/connected 17 : TEAM flag (Name of Team - HPTeam, Intel Team, etc.) 18 : # of adapters in team 19 : ID (GUIDs) of adapters in team IP info is in element 7, and DNS name in element 8. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

Page 1 of 2

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

0 registered and 874 anonymous users online.

Newest Members

StuTheCoder, M_Moore, BeeEm, min_seow, Audio
17884 Registered Users

Generated in 0.078 seconds in which 0.03 seconds were spent on a total of 14 queries. Zlib compression enabled.

click tracking