Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Marc Haber]

Hi,

On Fri, Aug 29, 2008 at 01:01:41PM +0200, Marc Haber wrote:
 On Fri, Aug 29, 2008 at 08:54:48AM +0800, Brett Looney wrote:
   ip access-list extended DefaultrouteWithoutListedNetsTunnel
deny   ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
permit ip any 10.2.60.0 0.0.0.255
  
   But packets to 192.168.8.1 still go out through the tunnel.
  
  Well, yeah. Because it matches the access list. From the sounds of it, you
  need to list each local network specifically in the access list so it won't
  match. obviousThat will be tricky./obvious
 
 The following perl script will generate the appropriate access list:
 #!/usr/bin/perl -w

snip

I need to re-hash the issue, I am afraid. As a reminder: I want to use
the Cisco VPN Client to connect to an 1841 router (running IOS
12.4(9)T4), while routing everything into the tunnel with the
exception of a few nets. My configuration:

crypto isakmp client configuration group InternClient
 key snip
 dns 10.1.2.11 10.1.2.15
 wins 10.1.2.11 10.1.2.15
 pool ippool
 acl DefaultRouteWithoutListedNetsTunnelWorkaround

ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround
 remark - this should be deny ip 10.20.30.0 0.0.0.31 any
 remark - this should be deny ip 10.1.10.0 0.0.0.255 any
 remark - this should be deny ip 192.168.8.0 0.0.0.255 any
 permit ip 0.0.0.0 7.255.255.255 any
 permit ip 8.0.0.0 1.255.255.255 any
 permit ip 10.0.0.0 0.0.255.255 any
 permit ip 10.1.0.0 0.0.7.255 any
 permit ip 10.1.8.0 0.0.1.255 any
 permit ip 10.1.11.0 0.0.0.255 any
 permit ip 10.1.12.0 0.0.3.255 any
snip

Unfortunately, the ACL cannot contain any deny statements
(evaluation seems to stop after the first deny, so I wrote a script
to generate an access list that permits everything but the few nets.

However, it looks like only the first 50 entries of the ACL are
actually transmitted to the client and show up in its routing table,
so everything permitted in the late steps of the ACL ends up
outside of the tunnel.

Is there any possibility to increase that 50 limit?

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Ben Steele]

An easier solution if you really need to go down that path is to allow all
down the vpn (no split tunnel) and have static persistent routes on the
client, setup a script or something.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Looney
Sent: Friday, 29 August 2008 10:25 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] VPN Client to 1841, default route into tunnel with
exceptions

 So that would be
 
 ip access-list extended DefaultrouteWithoutListedNetsTunnel
  deny   ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
  permit ip any 10.2.60.0 0.0.0.255

 But packets to 192.168.8.1 still go out through the tunnel.

Well, yeah. Because it matches the access list. From the sounds of it, you
need to list each local network specifically in the access list so it won't
match. obviousThat will be tricky./obvious

B.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Marc Haber]

On Fri, Aug 29, 2008 at 04:50:49PM +0930, Ben Steele wrote:
 An easier solution if you really need to go down that path is to allow all
 down the vpn (no split tunnel) and have static persistent routes on the
 client, setup a script or something.

Since the client keeps its routing table including the route for the
local network, I guess that the VPN Client interferes with the routing
in some way.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Marc Haber]

On Fri, Aug 29, 2008 at 08:54:48AM +0800, Brett Looney wrote:
  ip access-list extended DefaultrouteWithoutListedNetsTunnel
   deny   ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
   permit ip any 10.2.60.0 0.0.0.255
 
  But packets to 192.168.8.1 still go out through the tunnel.
 
 Well, yeah. Because it matches the access list. From the sounds of it, you
 need to list each local network specifically in the access list so it won't
 match. obviousThat will be tricky./obvious

The following perl script will generate the appropriate access list:
#!/usr/bin/perl -w

use strict;
use Net::Netmask;

my $all = new Net::Netmask(0.0.0.0/0);
my @blocks = (10.20.30.0/27,10.1.10.0/24,192.168.8.0/24);

my @blocklist=();

foreach my $block ( @blocks ) {
my $new = new Net::Netmask($block);
push(@blocklist,$new);
}

print no ip access-list extended 
DefaultRouteWithoutListedNetsTunnelWorkaround\n;
print ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround\n;
foreach my $block ( @blocklist ) {
print remark - this should be deny ip . $block-base.  . 
$block-hostmask.  any\n;
}

foreach my $block ( cidrs2inverse( $all, @blocklist ) ) {
print permit ip . $block-base.  . $block-hostmask.  any\n;
}

and the access list seems to do the job. I didn't try in detail, but
it looks like the first deny statement in the access list makes
evaluation stop.

We'll see how this wrecks performance ;)

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Ben Steele]

By default it will disable local lan access but that can be enabled easily
and so can routes to other lans, anything with a more specific prefix than a
default route will take precedence over the vpn client.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marc Haber
Sent: Friday, 29 August 2008 8:30 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] VPN Client to 1841, default route into tunnel with
exceptions

On Fri, Aug 29, 2008 at 04:50:49PM +0930, Ben Steele wrote:
 An easier solution if you really need to go down that path is to allow all
 down the vpn (no split tunnel) and have static persistent routes on the
 client, setup a script or something.

Since the client keeps its routing table including the route for the
local network, I guess that the VPN Client interferes with the routing
in some way.

Greetings
Marc

-- 

-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Marc Haber]

On Thu, Aug 28, 2008 at 08:50:32AM +0800, Brett Looney wrote:
 So this is the issue (sorry - should have looked at this earlier) - you need
 to put a list of networks here that the client can access. And just to be
 confusing, the ACL is from the router's perspective as if the traffic is
 outbound. So, if the pool of IP addresses that you're handing out to the
 clients is 10.100.100.0/24 then that needs to be the destination address in
 the ACL ala:
 
 ip access-list extended DefaultrouteTunnel
  permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255
  permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255

So that would be

ip access-list extended DefaultrouteWithoutListedNetsTunnel
 deny   ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
 permit ip any 10.2.60.0 0.0.0.255

But packets to 192.168.8.1 still go out through the tunnel.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Marc Haber]

On Wed, Aug 27, 2008 at 07:38:22PM -0700, Michael K. Smith wrote:
 Unless I'm misreading your intent, it looks like what you are trying to
 accomplish is split-tunneling, such that only traffic from your
 VPN-connected Windows machines and your protected net is getting tunneled,
 while everything else is handled outside the tunnel.

My intent is to have _everything_ in the tunnel, with the exception of
a hand ful of networks.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Michael K. Smith - Adhost]

Hello Marc:

 
  ip access-list extended DefaultrouteTunnel
   permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255
   permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255
 
 So that would be
 
 ip access-list extended DefaultrouteWithoutListedNetsTunnel
  deny   ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
  permit ip any 10.2.60.0 0.0.0.255
 
 But packets to 192.168.8.1 still go out through the tunnel.
 

According to your first configuration email the ACL you should use is 
DefaultRouteTunnel, not DefaultrouteWithoutListedNetsTunnel.

original config
crypto isakmp client configuration group InternClient
 key onsh4OcyivOafmyodzet
 dns 10.1.2.11 10.1.2.15
 wins 10.1.2.11 10.1.2.15
 domain example.com
 pool ippool
 acl DefaultrouteTunnel

ip access-list extended DefaultrouteTunnel  
permit ip any any 
ip access-list extended DefaultrouteWithoutListedNetsTunnel
 deny   ip 192.168.8.0 0.0.0.255 any
 permit ip any any
/original config

If you change the client config to 'acl DefaultrouteWithoutListedNetsTunnel' 
using your original parameters you should be all set.

Regards,

Mike


PGP.sig
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Marc Haber]

On Thu, Aug 28, 2008 at 11:30:29AM -0700, Michael K. Smith - Adhost wrote:
 Hello Marc:
 
  
   ip access-list extended DefaultrouteTunnel
permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255
permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255
  
  So that would be
  
  ip access-list extended DefaultrouteWithoutListedNetsTunnel
   deny   ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
   permit ip any 10.2.60.0 0.0.0.255
  
  But packets to 192.168.8.1 still go out through the tunnel.
  
 
 According to your first configuration email the ACL you should use is
 DefaultRouteTunnel, not DefaultrouteWithoutListedNetsTunnel.

I have of course changed the acl statement.

 If you change the client config to 'acl
 DefaultrouteWithoutListedNetsTunnel' using your original parameters
 you should be all set.

NACK. Doesn't work.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Michael K. Smith - Adhost]

Hello Marc:
   ip access-list extended DefaultrouteWithoutListedNetsTunnel
deny   ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
permit ip any 10.2.60.0 0.0.0.255
  
   But packets to 192.168.8.1 still go out through the tunnel.
  
 
  According to your first configuration email the ACL you should use is
  DefaultRouteTunnel, not DefaultrouteWithoutListedNetsTunnel.
 
 I have of course changed the acl statement.
 
  If you change the client config to 'acl
  DefaultrouteWithoutListedNetsTunnel' using your original parameters
  you should be all set.
 
 NACK. Doesn't work.
 

If the clients are on 192.168.8.0/24 and the servers are on 10.2.60.0/24, try 
this:

ip access-list extended DefaultrouteWithoutListedNetsTunnel
deny   ip 10.2.60.0 0.0.0.255 192.168.8.0 0.0.0.255
permit ip any any

Regards,

Mike


PGP.sig
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Brett Looney]

 So that would be
 
 ip access-list extended DefaultrouteWithoutListedNetsTunnel
  deny   ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
  permit ip any 10.2.60.0 0.0.0.255

 But packets to 192.168.8.1 still go out through the tunnel.

Well, yeah. Because it matches the access list. From the sounds of it, you
need to list each local network specifically in the access list so it won't
match. obviousThat will be tricky./obvious

B.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Marc Haber]

On Tue, Aug 26, 2008 at 10:20:25AM -0500, Ge Moua wrote:
 Sounds like a routing issue, is your ippool handling out IP addr to the
 clients.

The IP Pool is sending out addresses to the clients, and the client is
visible in the tunnel with the assigned IP address. When I ping an
address on the target network, I see the packet coming out of the
tunnel.

   I recently set a similar config on a 1811 and this works fine.  I
   can send you the working config if you're intersted. 

That would be great, I'd appeciate that.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Marc Haber]

On Wed, Aug 27, 2008 at 08:08:08AM +0800, Brett Looney wrote:
  With this configuration, a client cannot communicate at all
  outside the tunnel, which is a desired feature in this setup.
  OTOH, some teleworkers would appreciate to be able to talk to
  their networked printers on the local LANs.
 
 It's been a while but from memory you need to put the include-local-lan
 setting into the client configuration group to do this. HTH.

It now says

crypto isakmp client configuration group InternClient
 key onsh4OcyivOafmyodzet
 dns 10.1.2.11 10.1.2.15
 wins 10.1.2.11 10.1.2.15
 domain example.com
 pool ippool
 acl DefaultrouteTunnel
 include-local-lan

and when I ping 192.168.8.1, I still see the packet going out
encapsulated in ESP instead of unencrypted on the LAN (the Client's
LAN ip is 192.168.8.184/24).

Additionally, I'd rather have a white list of IP ranges that can still
be reached without encrpyption to not expose clients in public networks.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Brett Looney]

 It now says
 
 crypto isakmp client configuration group InternClient
  key onsh4OcyivOafmyodzet
  dns 10.1.2.11 10.1.2.15
  wins 10.1.2.11 10.1.2.15
  domain example.com
  pool ippool
  acl DefaultrouteTunnel
  include-local-lan
 
 and when I ping 192.168.8.1, I still see the packet going out
 encapsulated in ESP instead of unencrypted on the LAN (the Client's
 LAN ip is 192.168.8.184/24).

Hmmm. Interesting. What does your DefaultrouteTunnel ACL look like? Wait -
just dug up your old email:

 ip access-list extended DefaultrouteTunnel
  permit ip any any

So this is the issue (sorry - should have looked at this earlier) - you need
to put a list of networks here that the client can access. And just to be
confusing, the ACL is from the router's perspective as if the traffic is
outbound. So, if the pool of IP addresses that you're handing out to the
clients is 10.100.100.0/24 then that needs to be the destination address in
the ACL ala:

ip access-list extended DefaultrouteTunnel
 permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255
 permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255

HTH.

B.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Michael K. Smith]

Hello Mark:

Unless I'm misreading your intent, it looks like what you are trying to
accomplish is split-tunneling, such that only traffic from your
VPN-connected Windows machines and your protected net is getting tunneled,
while everything else is handled outside the tunnel.  If this is correct,
take a look at:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration
_example09186a008032b637.shtml

Regards,

Mike


On 8/26/08 7:01 AM, Marc Haber [EMAIL PROTECTED] wrote:

 Hi,
 
 this is strictly a client issue and not appropriate for cisco-nsp, but
 I haven't found any mailing list with this clue level for other
 cisco-related aspects. If there is one, I'd like to learn about it.
 
 I have a bunch of Windows clients with the Cisco VPN Client
 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as
 follows:
 
 aaa new-model
 !
 aaa authentication login default local
 aaa authentication login userauthen local
 aaa authentication login localauth local
 aaa authorization exec default local
 aaa authorization network groupauthor local
 !
 aaa session-id common
 !
 resource policy
 !
 ip cef
 !
 username marc.haber privilege 15 secret 5 snip
 !
 crypto isakmp policy 3
  encr aes 256
  authentication pre-share
  group 2
 !
 crypto isakmp client configuration group InternClient
  key onsh4OcyivOafmyodzet
  dns 10.1.2.11 10.1.2.15
  wins 10.1.2.11 10.1.2.15
  domain example.com
  pool ippool
  acl DefaultrouteTunnel
 !
 !
 crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac
 !
 crypto dynamic-map InternDynmap 10
  set transform-set InternTransformSet
  reverse-route
 !
 !
 crypto map InternClientMap client authentication list userauthen
 crypto map InternClientMap isakmp authorization list groupauthor
 crypto map InternClientMap client configuration address respond
 crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap
 !
 interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
  ip address 172.26.248.10 255.255.255.248
  duplex auto
  speed auto
  crypto map InternClientMap
 !
 ip access-list extended DefaultrouteTunnel
  permit ip any any
 ip access-list extended DefaultrouteWithoutListedNetsTunnel
  deny   ip 192.168.8.0 0.0.0.255 any
  permit ip any any
 !
 
 With this configuration, a client cannot communicate at all outside
 the tunnel, which is a desired feature in this setup. OTOH, some
 teleworkers would appreciate to be able to talk to their networked
 printers on the local LANs.
 
 I have received the advice of adding the local networks of all
 teleworkers to an access list, which has resulted in the
 DefaultrouteWithoutListedNetsTunnel ACL. But this does not seem to
 work, traffic for 192.168.8.3 still goes into the tunnel after I
 changed the acl reference in the crypto isakmp client configuration
 group InternClient. Also, I do not see any changes in the Windows
 client's routing tables.
 
 Can someone advice what I am doing wrong here? Additionally, do I
 really need to exclude all local networks of all teleworkers in the
 global configuration, or is it possible to control this on a
 per-client basis?
 
 All web-based documentation I have found deals with the VPN
 Concentrator series which do not seem to use IOS - at least I cannot
 make sense of the advice found there in my configuration.
 
 Any hints will be appreciated.
 
 Greetings
 Marc

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Marc Haber]

Hi,

this is strictly a client issue and not appropriate for cisco-nsp, but
I haven't found any mailing list with this clue level for other
cisco-related aspects. If there is one, I'd like to learn about it.

I have a bunch of Windows clients with the Cisco VPN Client
5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as
follows:

aaa new-model
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication login localauth local
aaa authorization exec default local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip cef
!
username marc.haber privilege 15 secret 5 snip
!
crypto isakmp policy 3
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp client configuration group InternClient
 key onsh4OcyivOafmyodzet
 dns 10.1.2.11 10.1.2.15
 wins 10.1.2.11 10.1.2.15
 domain example.com
 pool ippool
 acl DefaultrouteTunnel
!
!
crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac
!
crypto dynamic-map InternDynmap 10
 set transform-set InternTransformSet
 reverse-route
!
!
crypto map InternClientMap client authentication list userauthen
crypto map InternClientMap isakmp authorization list groupauthor
crypto map InternClientMap client configuration address respond
crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 172.26.248.10 255.255.255.248
 duplex auto
 speed auto
 crypto map InternClientMap
!
ip access-list extended DefaultrouteTunnel
 permit ip any any
ip access-list extended DefaultrouteWithoutListedNetsTunnel
 deny   ip 192.168.8.0 0.0.0.255 any
 permit ip any any
!

With this configuration, a client cannot communicate at all outside
the tunnel, which is a desired feature in this setup. OTOH, some
teleworkers would appreciate to be able to talk to their networked
printers on the local LANs.

I have received the advice of adding the local networks of all
teleworkers to an access list, which has resulted in the
DefaultrouteWithoutListedNetsTunnel ACL. But this does not seem to
work, traffic for 192.168.8.3 still goes into the tunnel after I
changed the acl reference in the crypto isakmp client configuration
group InternClient. Also, I do not see any changes in the Windows
client's routing tables.

Can someone advice what I am doing wrong here? Additionally, do I
really need to exclude all local networks of all teleworkers in the
global configuration, or is it possible to control this on a
per-client basis?

All web-based documentation I have found deals with the VPN
Concentrator series which do not seem to use IOS - at least I cannot
make sense of the advice found there in my configuration.

Any hints will be appreciated.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Ge Moua]

Sounds like a routing issue, is your ippool handling out IP addr to the
clients.  I recently set a similar config on a 1811 and this works fine.  I
can send you the working config if you're intersted. 


Regards,
Ge Moua | Email: [EMAIL PROTECTED]

Network Design Engineer
University of Minnesota | Networking  Telecommunications Services
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marc Haber
Sent: Tuesday, August 26, 2008 9:01 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VPN Client to 1841,default route into tunnel with
exceptions

Hi,

this is strictly a client issue and not appropriate for cisco-nsp, but I
haven't found any mailing list with this clue level for other cisco-related
aspects. If there is one, I'd like to learn about it.

I have a bunch of Windows clients with the Cisco VPN Client 5.0.01.0600 and
an 1841 running IOS 12.4(9)T4. My configuration is as
follows:

aaa new-model
!
aaa authentication login default local
aaa authentication login userauthen local aaa authentication login localauth
local aaa authorization exec default local aaa authorization network
groupauthor local !
aaa session-id common
!
resource policy
!
ip cef
!
username marc.haber privilege 15 secret 5 snip !
crypto isakmp policy 3
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp client configuration group InternClient  key
onsh4OcyivOafmyodzet  dns 10.1.2.11 10.1.2.15  wins 10.1.2.11 10.1.2.15
domain example.com  pool ippool  acl DefaultrouteTunnel !
!
crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac !
crypto dynamic-map InternDynmap 10
 set transform-set InternTransformSet
 reverse-route
!
!
crypto map InternClientMap client authentication list userauthen crypto map
InternClientMap isakmp authorization list groupauthor crypto map
InternClientMap client configuration address respond crypto map
InternClientMap 10 ipsec-isakmp dynamic InternDynmap !
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$  ip address
172.26.248.10 255.255.255.248  duplex auto  speed auto  crypto map
InternClientMap !
ip access-list extended DefaultrouteTunnel  permit ip any any ip access-list
extended DefaultrouteWithoutListedNetsTunnel
 deny   ip 192.168.8.0 0.0.0.255 any
 permit ip any any
!

With this configuration, a client cannot communicate at all outside the
tunnel, which is a desired feature in this setup. OTOH, some teleworkers
would appreciate to be able to talk to their networked printers on the local
LANs.

I have received the advice of adding the local networks of all teleworkers
to an access list, which has resulted in the
DefaultrouteWithoutListedNetsTunnel ACL. But this does not seem to work,
traffic for 192.168.8.3 still goes into the tunnel after I changed the acl
reference in the crypto isakmp client configuration group InternClient.
Also, I do not see any changes in the Windows client's routing tables.

Can someone advice what I am doing wrong here? Additionally, do I really
need to exclude all local networks of all teleworkers in the global
configuration, or is it possible to control this on a per-client basis?

All web-based documentation I have found deals with the VPN Concentrator
series which do not seem to use IOS - at least I cannot make sense of the
advice found there in my configuration.

Any hints will be appreciated.

Greetings
Marc

--

-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions

[Brett Looney]

 With this configuration, a client cannot communicate at all
 outside the tunnel, which is a desired feature in this setup.
 OTOH, some teleworkers would appreciate to be able to talk to
 their networked printers on the local LANs.

It's been a while but from memory you need to put the include-local-lan
setting into the client configuration group to do this. HTH.

B.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/