[c-nsp] IpSEC VPN Default Gateway
Paul Stewart
paul at paulstewart.org
Wed May 7 12:24:33 EDT 2008
Hi there...
Hoping someone on here has an answer to this... been searching and not
finding the right solution.
I have an IpSEC VPN setup into a 2821 router. Works fine, can access
internal resources. Also, have split tunneling setup so as a client I can
continue to surf the Internet at the same time.
If I remove the ACL for split tunneling then (as predicted) I can only
access internal resources once the VPN session is connected.
My question is basically - can I connect with no split tunneling and surf
from *within* the remote network? I want the user experience to be
*identical* to as if they were at their desk. We want to use this 'feature'
so that any devices we have an be locked down to only permitting access from
the firewall IP address. Someone indicated on a few postings that there is
a way to do this via a default gateway setting?
Config looks like:
aaa authentication login vpn_xauth1 local
aaa authorization network vpn_group1 local
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteAccess
key XXXXXXXXXXXXXXXXXXXXXXXXX
dns xxxxxxxxxxxxxxxxxxx
domain xxxxxxxxxxxxxxxxx
pool VPNPool1
acl 100
save-password
netmask 255.255.255.0
crypto isakmp profile VPN-Profile
match identity group RemoteAccess
client authentication list vpn_xauth1
isakmp authorization list vpn_group1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile
set transform-set ESP-3DES-SHA
set isakmp-profile VPN-Profile
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile
!
ip local pool VPNPool1 192.168.250.2 192.168.250.254
Thanks in advance,
Paul
More information about the cisco-nsp
mailing list