[c-nsp] VPN Client to 1841, default route into tunnel with exceptions

Tue Aug 26 11:20:25 EDT 2008

Sounds like a routing issue, is your ippool handling out IP addr to the
clients.  I recently set a similar config on a 1811 and this works fine.  I
can send you the working config if you're intersted. 

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marc Haber
Sent: Tuesday, August 26, 2008 9:01 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPN Client to 1841,default route into tunnel with
exceptions

Hi,

this is strictly a client issue and not appropriate for cisco-nsp, but I
haven't found any mailing list with this clue level for other cisco-related
aspects. If there is one, I'd like to learn about it.

I have a bunch of Windows clients with the Cisco VPN Client 5.0.01.0600 and
an 1841 running IOS 12.4(9)T4. My configuration is as
follows:

aaa new-model
!
aaa authentication login default local
aaa authentication login userauthen local aaa authentication login localauth
local aaa authorization exec default local aaa authorization network
groupauthor local !
aaa session-id common
!
resource policy
!
ip cef
!
username marc.haber privilege 15 secret 5 <snip> !
crypto isakmp policy 3
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp client configuration group InternClient  key
onsh4OcyivOafmyodzet  dns 10.1.2.11 10.1.2.15  wins 10.1.2.11 10.1.2.15
domain example.com  pool ippool  acl DefaultrouteTunnel !
!
crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac !
crypto dynamic-map InternDynmap 10
 set transform-set InternTransformSet
 reverse-route
!
!
crypto map InternClientMap client authentication list userauthen crypto map
InternClientMap isakmp authorization list groupauthor crypto map
InternClientMap client configuration address respond crypto map
InternClientMap 10 ipsec-isakmp dynamic InternDynmap !
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$  ip address
172.26.248.10 255.255.255.248  duplex auto  speed auto  crypto map
InternClientMap !
ip access-list extended DefaultrouteTunnel  permit ip any any ip access-list
extended DefaultrouteWithoutListedNetsTunnel
 deny   ip 192.168.8.0 0.0.0.255 any
 permit ip any any
!

With this configuration, a client cannot communicate at all outside the
tunnel, which is a desired feature in this setup. OTOH, some teleworkers
would appreciate to be able to talk to their networked printers on the local
LANs.

I have received the advice of adding the local networks of all teleworkers
to an access list, which has resulted in the
"DefaultrouteWithoutListedNetsTunnel" ACL. But this does not seem to work,
traffic for 192.168.8.3 still goes into the tunnel after I changed the acl
reference in the crypto isakmp client configuration group InternClient.
Also, I do not see any changes in the Windows client's routing tables.

Can someone advice what I am doing wrong here? Additionally, do I really
need to exclude all local networks of all teleworkers in the global
configuration, or is it possible to control this on a per-client basis?

All web-based documentation I have found deals with the VPN Concentrator
series which do not seem to use IOS - at least I cannot make sense of the
advice found there in my configuration.

Any hints will be appreciated.

Greetings
Marc

--
----------------------------------------------------------------------------
-
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/