[FEATURE] [7.360] Cisco VPN - ALL traffic goes through ipsec..

ReD-MaN · #1 (**permalink**) 12-05-2008, 04:59 PM

Not ideal, but the the client is routing all traffic including internet over the vpn, because it has a route for 0.0.0.0 0.0.0.0 . We should be able to select if possible which routes go over the tunnel, just like with the SSL.

d12fk · #2 (**permalink**) 12-08-2008, 09:06 AM

That's actually a limitation - if you want to call it that - of the Cisco VPN Client. During IKE Phase 2 it proposes 0.0.0.0/0 as the remote network. I think there's no way around it, sorry.

gnujuba · #3 (**permalink**) 12-08-2008, 11:57 AM

Quote:

Originally Posted by ReD-MaN

Not ideal, but the the client is routing all traffic including internet over the vpn, because it has a route for 0.0.0.0 0.0.0.0 . We should be able to select if possible which routes go over the tunnel, just like with the SSL.

what you mean is called "split tunneling" and can be configured on cisco pix/asa/vpn3k just by defining what network to tunnel(*).

what about your ipsec config on the astaro? what networks did you choose as remote networks (dont know if this is the right word for the networks you want to tunnel).

* http://www.cisco.com/en/US/products/...80702999.shtml

ReD-MaN · #4 (**permalink**) 12-08-2008, 12:52 PM

Yes it is split-tunneling, which I have enabled on all my ASA firewalls at work.

Here is a screenshot showing how I only secure routes for the remote networks, and interntet still goes out locally, when I connect to Cisco firewalls.

gnujuba · #5 (**permalink**) 12-08-2008, 01:10 PM

Quote:

Originally Posted by ReD-MaN

Yes it is split-tunneling, which I have enabled on all my ASA firewalls at work.

Here is a screenshot showing how I only secure routes for the remote networks, and interntet still goes out locally.

this means its working and you can select which routes go through the tunnel and which not?

ReD-MaN · #6 (**permalink**) 12-08-2008, 01:30 PM

Quote:

Originally Posted by gnujuba

this means its working and you can select which routes go through the tunnel and which not?

No, that screenshot is showing how it works on my Cisco gear. When I use the same client to connect to my beta ASG, the only secured network is 0.0.0.0/0.0.0.0 .

ReD-MaN · #7 (**permalink**) 12-08-2008, 01:31 PM

Quote:

Originally Posted by gnujuba

what you mean is called "split tunneling" and can be configured on cisco pix/asa/vpn3k just by defining what network to tunnel(*).

what about your ipsec config on the astaro? what networks did you choose as remote networks (dont know if this is the right word for the networks you want to tunnel).

* ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example - Cisco Systems

I selected my primary internal network, as well as a few internal routed networks.

tom · #8 (**permalink**) 12-09-2008, 01:13 PM

Hi, it seems that using split tunneling requires a Cisco ASA Access Server. We'll look into making this available in the future.

ReD-MaN · #9 (**permalink**) 12-09-2008, 02:06 PM

Quote:

Originally Posted by tom

Hi, it seems that using split tunneling requires a Cisco ASA Access Server. We'll look into making this available in the future.

This works on my older PIX 520 firewalls too running PIX OS 6.3.4.. and they have been EOL for a while now

Oh well, the whole Cisco VPN support is awesome regardless!!!

gnujuba · #10 (**permalink**) 12-09-2008, 02:52 PM

Quote:

Originally Posted by ReD-MaN

Oh well, the whole Cisco VPN support is awesome regardless!!!

I think its cool too - but a bit late

I.e. Cisco will not release a 64bit Vista version of their IPSec VPN Client.
They are moving towards the Any-Connect Client (which supports only SSL VPN at the moment).

But anyway, I really like what I have seen so far from this beta... https scanning, ssl site2site etc...