Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Hi, On Fri, Aug 29, 2008 at 01:01:41PM +0200, Marc Haber wrote: On Fri, Aug 29, 2008 at 08:54:48AM +0800, Brett Looney wrote: ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 permit ip any 10.2.60.0 0.0.0.255 But packets to 192.168.8.1 still go out through the tunnel. Well, yeah. Because it matches the access list. From the sounds of it, you need to list each local network specifically in the access list so it won't match. obviousThat will be tricky./obvious The following perl script will generate the appropriate access list: #!/usr/bin/perl -w snip I need to re-hash the issue, I am afraid. As a reminder: I want to use the Cisco VPN Client to connect to an 1841 router (running IOS 12.4(9)T4), while routing everything into the tunnel with the exception of a few nets. My configuration: crypto isakmp client configuration group InternClient key snip dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 pool ippool acl DefaultRouteWithoutListedNetsTunnelWorkaround ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround remark - this should be deny ip 10.20.30.0 0.0.0.31 any remark - this should be deny ip 10.1.10.0 0.0.0.255 any remark - this should be deny ip 192.168.8.0 0.0.0.255 any permit ip 0.0.0.0 7.255.255.255 any permit ip 8.0.0.0 1.255.255.255 any permit ip 10.0.0.0 0.0.255.255 any permit ip 10.1.0.0 0.0.7.255 any permit ip 10.1.8.0 0.0.1.255 any permit ip 10.1.11.0 0.0.0.255 any permit ip 10.1.12.0 0.0.3.255 any snip Unfortunately, the ACL cannot contain any deny statements (evaluation seems to stop after the first deny, so I wrote a script to generate an access list that permits everything but the few nets. However, it looks like only the first 50 entries of the ACL are actually transmitted to the client and show up in its routing table, so everything permitted in the late steps of the ACL ends up outside of the tunnel. Is there any possibility to increase that 50 limit? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
An easier solution if you really need to go down that path is to allow all down the vpn (no split tunnel) and have static persistent routes on the client, setup a script or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Looney Sent: Friday, 29 August 2008 10:25 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions So that would be ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 permit ip any 10.2.60.0 0.0.0.255 But packets to 192.168.8.1 still go out through the tunnel. Well, yeah. Because it matches the access list. From the sounds of it, you need to list each local network specifically in the access list so it won't match. obviousThat will be tricky./obvious B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
On Fri, Aug 29, 2008 at 04:50:49PM +0930, Ben Steele wrote: An easier solution if you really need to go down that path is to allow all down the vpn (no split tunnel) and have static persistent routes on the client, setup a script or something. Since the client keeps its routing table including the route for the local network, I guess that the VPN Client interferes with the routing in some way. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
On Fri, Aug 29, 2008 at 08:54:48AM +0800, Brett Looney wrote: ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 permit ip any 10.2.60.0 0.0.0.255 But packets to 192.168.8.1 still go out through the tunnel. Well, yeah. Because it matches the access list. From the sounds of it, you need to list each local network specifically in the access list so it won't match. obviousThat will be tricky./obvious The following perl script will generate the appropriate access list: #!/usr/bin/perl -w use strict; use Net::Netmask; my $all = new Net::Netmask(0.0.0.0/0); my @blocks = (10.20.30.0/27,10.1.10.0/24,192.168.8.0/24); my @blocklist=(); foreach my $block ( @blocks ) { my $new = new Net::Netmask($block); push(@blocklist,$new); } print no ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround\n; print ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround\n; foreach my $block ( @blocklist ) { print remark - this should be deny ip . $block-base. . $block-hostmask. any\n; } foreach my $block ( cidrs2inverse( $all, @blocklist ) ) { print permit ip . $block-base. . $block-hostmask. any\n; } and the access list seems to do the job. I didn't try in detail, but it looks like the first deny statement in the access list makes evaluation stop. We'll see how this wrecks performance ;) Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
By default it will disable local lan access but that can be enabled easily and so can routes to other lans, anything with a more specific prefix than a default route will take precedence over the vpn client. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Haber Sent: Friday, 29 August 2008 8:30 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions On Fri, Aug 29, 2008 at 04:50:49PM +0930, Ben Steele wrote: An easier solution if you really need to go down that path is to allow all down the vpn (no split tunnel) and have static persistent routes on the client, setup a script or something. Since the client keeps its routing table including the route for the local network, I guess that the VPN Client interferes with the routing in some way. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
On Thu, Aug 28, 2008 at 08:50:32AM +0800, Brett Looney wrote: So this is the issue (sorry - should have looked at this earlier) - you need to put a list of networks here that the client can access. And just to be confusing, the ACL is from the router's perspective as if the traffic is outbound. So, if the pool of IP addresses that you're handing out to the clients is 10.100.100.0/24 then that needs to be the destination address in the ACL ala: ip access-list extended DefaultrouteTunnel permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255 permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255 So that would be ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 permit ip any 10.2.60.0 0.0.0.255 But packets to 192.168.8.1 still go out through the tunnel. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
On Wed, Aug 27, 2008 at 07:38:22PM -0700, Michael K. Smith wrote: Unless I'm misreading your intent, it looks like what you are trying to accomplish is split-tunneling, such that only traffic from your VPN-connected Windows machines and your protected net is getting tunneled, while everything else is handled outside the tunnel. My intent is to have _everything_ in the tunnel, with the exception of a hand ful of networks. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Hello Marc: ip access-list extended DefaultrouteTunnel permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255 permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255 So that would be ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 permit ip any 10.2.60.0 0.0.0.255 But packets to 192.168.8.1 still go out through the tunnel. According to your first configuration email the ACL you should use is DefaultRouteTunnel, not DefaultrouteWithoutListedNetsTunnel. original config crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel ip access-list extended DefaultrouteTunnel permit ip any any ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 any permit ip any any /original config If you change the client config to 'acl DefaultrouteWithoutListedNetsTunnel' using your original parameters you should be all set. Regards, Mike PGP.sig Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
On Thu, Aug 28, 2008 at 11:30:29AM -0700, Michael K. Smith - Adhost wrote: Hello Marc: ip access-list extended DefaultrouteTunnel permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255 permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255 So that would be ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 permit ip any 10.2.60.0 0.0.0.255 But packets to 192.168.8.1 still go out through the tunnel. According to your first configuration email the ACL you should use is DefaultRouteTunnel, not DefaultrouteWithoutListedNetsTunnel. I have of course changed the acl statement. If you change the client config to 'acl DefaultrouteWithoutListedNetsTunnel' using your original parameters you should be all set. NACK. Doesn't work. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Hello Marc: ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 permit ip any 10.2.60.0 0.0.0.255 But packets to 192.168.8.1 still go out through the tunnel. According to your first configuration email the ACL you should use is DefaultRouteTunnel, not DefaultrouteWithoutListedNetsTunnel. I have of course changed the acl statement. If you change the client config to 'acl DefaultrouteWithoutListedNetsTunnel' using your original parameters you should be all set. NACK. Doesn't work. If the clients are on 192.168.8.0/24 and the servers are on 10.2.60.0/24, try this: ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 10.2.60.0 0.0.0.255 192.168.8.0 0.0.0.255 permit ip any any Regards, Mike PGP.sig Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
So that would be ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 permit ip any 10.2.60.0 0.0.0.255 But packets to 192.168.8.1 still go out through the tunnel. Well, yeah. Because it matches the access list. From the sounds of it, you need to list each local network specifically in the access list so it won't match. obviousThat will be tricky./obvious B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
On Tue, Aug 26, 2008 at 10:20:25AM -0500, Ge Moua wrote: Sounds like a routing issue, is your ippool handling out IP addr to the clients. The IP Pool is sending out addresses to the clients, and the client is visible in the tunnel with the assigned IP address. When I ping an address on the target network, I see the packet coming out of the tunnel. I recently set a similar config on a 1811 and this works fine. I can send you the working config if you're intersted. That would be great, I'd appeciate that. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
On Wed, Aug 27, 2008 at 08:08:08AM +0800, Brett Looney wrote: With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. It's been a while but from memory you need to put the include-local-lan setting into the client configuration group to do this. HTH. It now says crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel include-local-lan and when I ping 192.168.8.1, I still see the packet going out encapsulated in ESP instead of unencrypted on the LAN (the Client's LAN ip is 192.168.8.184/24). Additionally, I'd rather have a white list of IP ranges that can still be reached without encrpyption to not expose clients in public networks. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
It now says crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel include-local-lan and when I ping 192.168.8.1, I still see the packet going out encapsulated in ESP instead of unencrypted on the LAN (the Client's LAN ip is 192.168.8.184/24). Hmmm. Interesting. What does your DefaultrouteTunnel ACL look like? Wait - just dug up your old email: ip access-list extended DefaultrouteTunnel permit ip any any So this is the issue (sorry - should have looked at this earlier) - you need to put a list of networks here that the client can access. And just to be confusing, the ACL is from the router's perspective as if the traffic is outbound. So, if the pool of IP addresses that you're handing out to the clients is 10.100.100.0/24 then that needs to be the destination address in the ACL ala: ip access-list extended DefaultrouteTunnel permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255 permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255 HTH. B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Hello Mark: Unless I'm misreading your intent, it looks like what you are trying to accomplish is split-tunneling, such that only traffic from your VPN-connected Windows machines and your protected net is getting tunneled, while everything else is handled outside the tunnel. If this is correct, take a look at: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration _example09186a008032b637.shtml Regards, Mike On 8/26/08 7:01 AM, Marc Haber [EMAIL PROTECTED] wrote: Hi, this is strictly a client issue and not appropriate for cisco-nsp, but I haven't found any mailing list with this clue level for other cisco-related aspects. If there is one, I'd like to learn about it. I have a bunch of Windows clients with the Cisco VPN Client 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as follows: aaa new-model ! aaa authentication login default local aaa authentication login userauthen local aaa authentication login localauth local aaa authorization exec default local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ip cef ! username marc.haber privilege 15 secret 5 snip ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel ! ! crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac ! crypto dynamic-map InternDynmap 10 set transform-set InternTransformSet reverse-route ! ! crypto map InternClientMap client authentication list userauthen crypto map InternClientMap isakmp authorization list groupauthor crypto map InternClientMap client configuration address respond crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 172.26.248.10 255.255.255.248 duplex auto speed auto crypto map InternClientMap ! ip access-list extended DefaultrouteTunnel permit ip any any ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 any permit ip any any ! With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. I have received the advice of adding the local networks of all teleworkers to an access list, which has resulted in the DefaultrouteWithoutListedNetsTunnel ACL. But this does not seem to work, traffic for 192.168.8.3 still goes into the tunnel after I changed the acl reference in the crypto isakmp client configuration group InternClient. Also, I do not see any changes in the Windows client's routing tables. Can someone advice what I am doing wrong here? Additionally, do I really need to exclude all local networks of all teleworkers in the global configuration, or is it possible to control this on a per-client basis? All web-based documentation I have found deals with the VPN Concentrator series which do not seem to use IOS - at least I cannot make sense of the advice found there in my configuration. Any hints will be appreciated. Greetings Marc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Hi, this is strictly a client issue and not appropriate for cisco-nsp, but I haven't found any mailing list with this clue level for other cisco-related aspects. If there is one, I'd like to learn about it. I have a bunch of Windows clients with the Cisco VPN Client 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as follows: aaa new-model ! aaa authentication login default local aaa authentication login userauthen local aaa authentication login localauth local aaa authorization exec default local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ip cef ! username marc.haber privilege 15 secret 5 snip ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel ! ! crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac ! crypto dynamic-map InternDynmap 10 set transform-set InternTransformSet reverse-route ! ! crypto map InternClientMap client authentication list userauthen crypto map InternClientMap isakmp authorization list groupauthor crypto map InternClientMap client configuration address respond crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 172.26.248.10 255.255.255.248 duplex auto speed auto crypto map InternClientMap ! ip access-list extended DefaultrouteTunnel permit ip any any ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 any permit ip any any ! With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. I have received the advice of adding the local networks of all teleworkers to an access list, which has resulted in the DefaultrouteWithoutListedNetsTunnel ACL. But this does not seem to work, traffic for 192.168.8.3 still goes into the tunnel after I changed the acl reference in the crypto isakmp client configuration group InternClient. Also, I do not see any changes in the Windows client's routing tables. Can someone advice what I am doing wrong here? Additionally, do I really need to exclude all local networks of all teleworkers in the global configuration, or is it possible to control this on a per-client basis? All web-based documentation I have found deals with the VPN Concentrator series which do not seem to use IOS - at least I cannot make sense of the advice found there in my configuration. Any hints will be appreciated. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Sounds like a routing issue, is your ippool handling out IP addr to the clients. I recently set a similar config on a 1811 and this works fine. I can send you the working config if you're intersted. Regards, Ge Moua | Email: [EMAIL PROTECTED] Network Design Engineer University of Minnesota | Networking Telecommunications Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Haber Sent: Tuesday, August 26, 2008 9:01 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPN Client to 1841,default route into tunnel with exceptions Hi, this is strictly a client issue and not appropriate for cisco-nsp, but I haven't found any mailing list with this clue level for other cisco-related aspects. If there is one, I'd like to learn about it. I have a bunch of Windows clients with the Cisco VPN Client 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as follows: aaa new-model ! aaa authentication login default local aaa authentication login userauthen local aaa authentication login localauth local aaa authorization exec default local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ip cef ! username marc.haber privilege 15 secret 5 snip ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel ! ! crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac ! crypto dynamic-map InternDynmap 10 set transform-set InternTransformSet reverse-route ! ! crypto map InternClientMap client authentication list userauthen crypto map InternClientMap isakmp authorization list groupauthor crypto map InternClientMap client configuration address respond crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 172.26.248.10 255.255.255.248 duplex auto speed auto crypto map InternClientMap ! ip access-list extended DefaultrouteTunnel permit ip any any ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 any permit ip any any ! With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. I have received the advice of adding the local networks of all teleworkers to an access list, which has resulted in the DefaultrouteWithoutListedNetsTunnel ACL. But this does not seem to work, traffic for 192.168.8.3 still goes into the tunnel after I changed the acl reference in the crypto isakmp client configuration group InternClient. Also, I do not see any changes in the Windows client's routing tables. Can someone advice what I am doing wrong here? Additionally, do I really need to exclude all local networks of all teleworkers in the global configuration, or is it possible to control this on a per-client basis? All web-based documentation I have found deals with the VPN Concentrator series which do not seem to use IOS - at least I cannot make sense of the advice found there in my configuration. Any hints will be appreciated. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. It's been a while but from memory you need to put the include-local-lan setting into the client configuration group to do this. HTH. B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/