[c-nsp] VPN Client to 1841, default route into tunnel with exceptions

Marc Haber mh+cisco-nsp at zugschlus.de
Tue Aug 26 10:01:24 EDT 2008 

Hi,

this is strictly a client issue and not appropriate for cisco-nsp, but
I haven't found any mailing list with this clue level for other
cisco-related aspects. If there is one, I'd like to learn about it.

I have a bunch of Windows clients with the Cisco VPN Client
5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as
follows:

aaa new-model
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication login localauth local
aaa authorization exec default local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip cef
!
username marc.haber privilege 15 secret 5 <snip>
!
crypto isakmp policy 3
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp client configuration group InternClient
 key onsh4OcyivOafmyodzet
 dns 10.1.2.11 10.1.2.15
 wins 10.1.2.11 10.1.2.15
 domain example.com
 pool ippool
 acl DefaultrouteTunnel
!
!
crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac
!
crypto dynamic-map InternDynmap 10
 set transform-set InternTransformSet
 reverse-route
!
!
crypto map InternClientMap client authentication list userauthen
crypto map InternClientMap isakmp authorization list groupauthor
crypto map InternClientMap client configuration address respond
crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 172.26.248.10 255.255.255.248
 duplex auto
 speed auto
 crypto map InternClientMap
!
ip access-list extended DefaultrouteTunnel
 permit ip any any
ip access-list extended DefaultrouteWithoutListedNetsTunnel
 deny   ip 192.168.8.0 0.0.0.255 any
 permit ip any any
!

With this configuration, a client cannot communicate at all outside
the tunnel, which is a desired feature in this setup. OTOH, some
teleworkers would appreciate to be able to talk to their networked
printers on the local LANs.

I have received the advice of adding the local networks of all
teleworkers to an access list, which has resulted in the
"DefaultrouteWithoutListedNetsTunnel" ACL. But this does not seem to
work, traffic for 192.168.8.3 still goes into the tunnel after I
changed the acl reference in the crypto isakmp client configuration
group InternClient. Also, I do not see any changes in the Windows
client's routing tables.

Can someone advice what I am doing wrong here? Additionally, do I
really need to exclude all local networks of all teleworkers in the
global configuration, or is it possible to control this on a
per-client basis?

All web-based documentation I have found deals with the VPN
Concentrator series which do not seem to use IOS - at least I cannot
make sense of the advice found there in my configuration.

Any hints will be appreciated.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

More information about the cisco-nsp mailing list