[c-nsp] VPN Question - IOS

Justin M. Streiner streiner at cluebyfour.org
Tue Jul 22 11:38:37 EDT 2008


On Tue, 22 Jul 2008, Paul Stewart wrote:

> We have a remote access VPN configuration deployed on a 2800 router....
> everything works great except I'd like to "force" VPN users to send all
> their traffic via the VPN when connected.  I'm missing something obvious I
> believe...
>
> Example would be once a VPN user is connected and opens an SSH session to a
> router, I want that SSH session to come via the VPN router's IP address -
> not their home IP address.
>
> 192.192.61.0/24 is our "internal" LAN network - yeah yeah, I know... this
> was setup by a networking "expert" long before my time...:(

Sounds like you want to disable split tunneling.  With split tunneling, 
only traffic you define as "interesting" is sent over the VPN, and 
everything else follows the normal default route from the user's PC, 
presumably over their regular Internet connection.

jms

> Config looks like this:
>
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group RemoteAccess
> key xxxxxxxxxxxxxxxx
> dns xxxxxxxxxxxxxxxxxxx
> wins xxxxxxxxxxxxxxxxx
> domain xxxxxxxxxxxxxxxxxxx
> pool VPNPool1
> acl 100
> save-password
> include-local-lan
> netmask 255.255.255.0
> crypto isakmp profile VPN-Profile
>   match identity group RemoteAccess
>   client authentication list vpn_xauth1
>   isakmp authorization list vpn_group1
>   client configuration address respond
>   virtual-template 2
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> !
> crypto ipsec profile VPN-Profile
> set transform-set ESP-3DES-SHA
> set isakmp-profile VPN-Profile
>
>
> interface Virtual-Template2 type tunnel
> ip unnumbered Loopback1
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile VPN-Profile
>
> ip local pool VPNPool1 192.168.250.2 192.168.250.254
>
> access-list 100 permit ip 192.192.61.0 0.0.0.255 any
> access-list 100 permit ip 192.168.250.0 0.0.0.255 any
>
>
>
> This has something to do with split tunneling and the ACL 100 but so far I
> haven't got this working....
>
> Thanks very much,
>
> Paul
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list