I have a Windows 2003 RAS server configured for VPN. The server has one NIC
with address 172.16.85.164 mask 255.255.128.0. RAS is configured to get
client IP addresses from a DHCP serve. The DHCP server issues addresses in
the range 172.16.100.1-172.16.100.254 with a mask of 255.255.255.128. This
has all been working fine for months.

Recently I moved an application server into a subnet and now VPN clients
cannot reach it. The app server has IP address 172.16.201.170 mask
255.255.255.0.

When a Win XP VPN client first connects to the RAS server, the 'route print'
command shows an entry like this

Net Dest Netmask Gateway Interface Metric
172.16.0.0 255.255.0.0 172.16.100.13 172.16.100.13 1

where 172.16.100.13 is the IP address of the PPP adapter. Connections to the
app server at 172.16.201.170 are correctly routed out through the PPP adapter
to the RAS server, sent through the RAS server's default gateway to the app
server.

After a few seconds, the routing entry changes its Netmask to look like this

Net Dest Netmask Gateway Interface Metric
172.16.0.0 255.255.128.0 172.16.100.13 172.16.100.13 1

Now packets from the VPN client to the app server are excluded from this
route, get sent to the XP machine's default router which is outside the
internal network and so fail to reach the app server.

I have found two solutions but both are less than satisfactory.

Solution 1. Check the "Use default gateway on remote network" box in the
client VPN properties. This works, but now *all* traffic, including AIM
messages, HTTP requests , etc. is routed through the RAS server when it
doesn't need to be. This slows everything down

Solution 2. Manually add a routing entry to the Win XP client like this
route add 172.16.201.0 mask 255.255.255.0 172.16.100.13 metric 1
which forces packets to the app server to use the PPP interface. This works,
but is very inconvenient for the user and not simple to script since the PPP
adapter address is different each time.

What I want is for all and only traffic destined for 172.16.0.0 mask
255.255.0.0 to use the PPP adapter but don't know how to achieve that. I
thought of having the RAS server use its own static address pool of client
addresses (rather than using DHCP) but don't see how to set the network mask
for that pool.

Ideas?

Thanks for your help.
--
Davis