Craig, I have done quite a bit of research in this area, and I'm pretty confident that no product exists that does what your looking for. There are plenty of client side products that can simply peer with an IPSec gateway using a shared secret or even a certificate, but as far as I have seen there is no client product that can interoperate with VPN boxes that provide "extras" such as client authentication based on userid and password and the passing of routes to the client for split-tunneling.
The problem is that the IPSec standards bodies, in their infinite wisdom, chose not to address these issues and simply "punted" the problem to the vendors. Given this, someone wishing to create a truly universal VPN client that can handle all the extras not covered in the RFC's would have to make the client work with each vendor independently, and then keep up with any vendor changes, no small task obviously. On top of these other extras one could add the ability to do "nat transparency", which is currently completely proprietary by vendor although there are bodies working on this particular issue. It's a good area for some smart coders to develop a product, and perhaps someone will eventually. Unfortunately, that doesn't really help you right now. ;-) Regards, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Craig Columbus Sent: Thursday, April 25, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] Thanks for the responses. I'm aware of split tunneling with a concentrator. That's not what I want. I'm looking for something that lets me connect to any IPSEC compliant endpoint, whether it's a PIX, a router, or a Linux box. In other words, the client shouldn't care what it's connecting to. It should only care whether the traffic has a destination within the remote network or not. If so, send through tunnel, if not, send to Internet. Hope this helps clarify. Thanks! Craig At 07:39 PM 4/25/2002 -0400, you wrote: >You can definitely do this using the Cisco VPN client. This is a policy push >from the concentrator. If you would like split-tunneling you need to enable >that on the concentrator to allow the clients to do that. > >http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel3_5_1/admin_g d >/vca.pdf > >Tim >CCIE 9015 > > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Craig Columbus >Sent: Thursday, April 25, 2002 6:25 PM >To: [EMAIL PROTECTED] >Subject: Alternatives to Cisco VPN client [7:42604] > > >Let me preface this by saying that all of my VPN experience has been either >peer-peer or client to peer with the Cisco VPN client 1.x or 3.x. Please >ignore my ignorance if I've missed something obvious. > >I've got a major complaint with the Cisco VPN client. It's not smart >enough to differentiate local traffic/Internet traffic from VPN >traffic. Therefore, you can't browse the Internet and your VPN network at >the same time. >I'm looking for alternative software clients that are smart enough to say >"Ok. Any traffic destined for 10.x.x.x (or whatever you define VPN traffic >to be) goes to the tunnel. If the traffic has any destination other than >10.x.x.x, it's treated as if the tunnel weren't even present." This would >allow my client machine to easily browse the Internet and the VPN remote >network at the same time. >I've done some preliminary searches for third-party clients, but don't want >to waste time trying 50 clients that may not be any good. I've found some >for Mac OS X that'll do what I want, but I haven't found one for Win >9x/ME/NT/2K/XP. >There's got to be a decent client that does this. >Sorry for rambling.... :-) It's been a long day. > >As usual, thanks in advance to everyone. > >Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42652&t=42604 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
