I have a Windows 2003 RAS server configured for VPN. The server has one NIC
with address mask RAS is configured to get
client IP addresses from a DHCP serve. The DHCP server issues addresses in
the range with a mask of This
has all been working fine for months.

Recently I moved an application server into a subnet and now VPN clients
cannot reach it. The app server has IP address mask

When a Win XP VPN client first connects to the RAS server, the 'route print'
command shows an entry like this

Net Dest Netmask Gateway Interface Metric 1

where is the IP address of the PPP adapter. Connections to the
app server at are correctly routed out through the PPP adapter
to the RAS server, sent through the RAS server's default gateway to the app

After a few seconds, the routing entry changes its Netmask to look like this

Net Dest Netmask Gateway Interface Metric 1

Now packets from the VPN client to the app server are excluded from this
route, get sent to the XP machine's default router which is outside the
internal network and so fail to reach the app server.

I have found two solutions but both are less than satisfactory.

Solution 1. Check the "Use default gateway on remote network" box in the
client VPN properties. This works, but now *all* traffic, including AIM
messages, HTTP requests , etc. is routed through the RAS server when it
doesn't need to be. This slows everything down

Solution 2. Manually add a routing entry to the Win XP client like this
route add mask metric 1
which forces packets to the app server to use the PPP interface. This works,
but is very inconvenient for the user and not simple to script since the PPP
adapter address is different each time.

What I want is for all and only traffic destined for mask to use the PPP adapter but don't know how to achieve that. I
thought of having the RAS server use its own static address pool of client
addresses (rather than using DHCP) but don't see how to set the network mask
for that pool.


Thanks for your help.