[c-nsp] IpSEC VPN Default Gateway

Paul Stewart paul at paulstewart.org
Wed May 7 12:24:33 EDT 2008


Hi there...

Hoping someone on here has an answer to this... been searching and not
finding the right solution.

I have an IpSEC VPN setup into a 2821 router.  Works fine, can access
internal resources.  Also, have split tunneling setup so as a client I can
continue to surf the Internet at the same time.

If I remove the ACL for split tunneling then (as predicted) I can only
access internal resources once the VPN session is connected.

My question is basically - can I connect with no split tunneling and surf
from *within* the remote network?  I want the user experience to be
*identical* to as if they were at their desk.  We want to use this 'feature'
so that any devices we have an be locked down to only permitting access from
the firewall IP address.  Someone indicated on a few postings that there is
a way to do this via a default gateway setting?

Config looks like:

aaa authentication login vpn_xauth1 local
aaa authorization network vpn_group1 local

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group RemoteAccess
 key XXXXXXXXXXXXXXXXXXXXXXXXX
 dns xxxxxxxxxxxxxxxxxxx
 domain xxxxxxxxxxxxxxxxx
 pool VPNPool1
 acl 100
 save-password
 netmask 255.255.255.0
crypto isakmp profile VPN-Profile
   match identity group RemoteAccess
   client authentication list vpn_xauth1
   isakmp authorization list vpn_group1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile
 set transform-set ESP-3DES-SHA
 set isakmp-profile VPN-Profile

interface Virtual-Template2 type tunnel
 ip unnumbered Loopback1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile
!
ip local pool VPNPool1 192.168.250.2 192.168.250.254

Thanks in advance,

Paul






More information about the cisco-nsp mailing list