Solved: Cisco Router VPN client SPlit tunnel is not working

Lasandro Lopez · ‎03-15-2013

Hello there!
i've configured Cisco VPN CLient on a router 2821, and it is working fine.
I could access inside resourses normally>
the problem is that when i connect with VPN i lost connectivity to internet?

What is wrong with my configuration?

Below the running config of the router.
Regards!

CISCO2821#sh run

Building configuration...

Current configuration : 5834 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CISCO2821

!

boot-start-marker

boot system flash c2800nm-adventerprisek9-mz.124-20.T.bin

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

!

aaa new-model

!

aaa authentication login VPN-LOCAL-AUTHEN local

aaa authorization network VPN-LOCAL-AUTHOR local

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip cef

!

ip domain name yourdomain.com

ip name-server 8.8.8.8

no ipv6 cef

!

multilink bundle-name authenticated

!

voice-card 0

no dspfarm

!

username vpn privilege 0 secret 5 $1$tCf1$XAxQWtDRYdfy9g3JpVSvZ.

archive

log config

hidekeys

!

crypto isakmp policy 44

encr aes

authentication pre-share

group 2

lifetime 44444

!

crypto isakmp client configuration group VPN

key VPNVPNVPN

pool VPN-POOL

acl VPN-ACL-SPLIT

max-users 5000

!

crypto isakmp profile VPN-ISAKMP-PROFILE

match identity group VPN

client authentication list VPN-LOCAL-AUTHEN

isakmp authorization list VPN-LOCAL-AUTHOR

client configuration address respond

client configuration group VPN

virtual-template 44

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto ipsec profile VPN-PROFILE

set transform-set VPN-SET

set isakmp-profile VPN-ISAKMP-PROFILE

!

interface GigabitEthernet0/0

ip address 192.168.2.214 255.255.255.0

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface FastEthernet0/0/0

no ip address

shutdown

duplex auto

speed auto

!

interface Virtual-Template44 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN-PROFILE

!

interface Dialer0

no ip address

ip mtu 1452

ip virtual-reassembly

shutdown

!

ip local pool VPN-POOL 192.168.1.150 192.168.1.250

ip forward-protocol nd

ip http server

ip http port 8081

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list ACL-NAT interface GigabitEthernet0/0 overload

!

ip access-list standard ACL-TELNET

permit any

!

ip access-list extended ACL-NAT

permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended ACL-VPN-SPLIT

permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended VPN-ACL-SPLIT

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to

use.

-----------------------------------------------------------------------

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

access-class ACL-TELNET in

exec-timeout 30 0

privilege level 15

logging synchronous

transport input telnet ssh

line vty 5 15

access-class ACL-TELNET in

exec-timeout 30 0

privilege level 15

logging synchronous

transport input telnet ssh

line vty 16 988

access-class ACL-TELNET in

exec-timeout 30 0

logging synchronous

transport input telnet ssh

!

scheduler allocate 20000 1000

end

CISCO2821#

Gregory Snipes · ‎03-15-2013

I believe you have made an error with your ACL name. the ACL applied is "VPN-ACL-SPLIT" which is a blank ACL. You should switch that to "ACL-VPN-SPLIT" which has the entry "permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255" in it.

View solution in original post

blau grana · ‎03-15-2013

Hello Lasandro,

I had this problem a few months ago with similar sympthoms. I dont think you lost internet connectivity.

How did you test your connectivity? From which OS are you logging to VPN?

My problem was that after logging into VPN, my DNS server changed to default gateway of VPN connection. If do not allow internet connection for VPN users, your DNS request will be dropped/not resolved. Same as you a did not config DNS server in my isakmp client configuration.

I had this problem with Linux (Ubuntu 10.04) and also with MacOS. WinXP was working with no problem.

So what OS are you using, and can you post output of ipconfig / ifconfig and route print / route before and after logging to VPN?

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Gregory Snipes · ‎03-15-2013

I believe you have made an error with your ACL name. the ACL applied is "VPN-ACL-SPLIT" which is a blank ACL. You should switch that to "ACL-VPN-SPLIT" which has the entry "permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255" in it.

Lasandro Lopez · ‎03-16-2013

Thank you Gregory. Your answer is the right one.
I correct the labeled ACL and now it is working fine.
Regards!