07-09-2013 02:56 PM
Hello,
we are using a c1841 with IOS version c1841-advsecurityk9-mz.124-15.T.bin. As remote software we use VPN client version 5.0.07.0410.
My configuration is:
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group integra-group
key purieggs
dns 192.168.0.100
wins 192.168.0.100
domain f-integra.org
pool integra-pool
acl integra-acl
!
ip access-list extended integra-acl
permit ip 192.168.0.0 0.0.0.255 10.254.254.0 0.0.0.31
!
We want to use split tunneling in order to only traffic to 192.168.0.0/24 will be encrypted.
The IPSEC session is OK but when you check the routes installed in the remote client SO, besides 192.168.0.0/24 there also is
other routes as 10.0.0.0/8 that we are not using. Why?. We have problems because traffic to network 10.0.0.0/8 must not be encrypted.
The client use network 192.168.1.0/24 and the IPSEC pool is 10.254.254.0/255.255.255.224.
IPv4 Tabla de enrutamiento
===========================================================================
Rutas activas:
Destino de red Máscara de red Puerta de enlace Interfaz Métrica
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.200 20
10.0.0.0 255.0.0.0 En vínculo 10.254.254.21 276
10.254.254.21 255.255.255.255 En vínculo 10.254.254.21 276
10.255.255.255 255.255.255.255 En vínculo 10.254.254.21 276
X.X.X.X 255.255.255.255 192.168.1.254 192.168.1.200 100
127.0.0.0 255.0.0.0 En vínculo 127.0.0.1 306
127.0.0.1 255.255.255.255 En vínculo 127.0.0.1 306
127.255.255.255 255.255.255.255 En vínculo 127.0.0.1 306
192.168.0.0 255.255.255.0 10.0.0.1 10.254.254.21 100
192.168.1.0 255.255.255.0 En vínculo 192.168.1.200 276
192.168.1.200 255.255.255.255 En vínculo 192.168.1.200 276
192.168.1.254 255.255.255.255 En vínculo 192.168.1.200 100
192.168.1.255 255.255.255.255 En vínculo 192.168.1.200 276
224.0.0.0 240.0.0.0 En vínculo 127.0.0.1 306
224.0.0.0 240.0.0.0 En vínculo 192.168.1.200 276
224.0.0.0 240.0.0.0 En vínculo 10.254.254.21 276
255.255.255.255 255.255.255.255 En vínculo 127.0.0.1 306
255.255.255.255 255.255.255.255 En vínculo 192.168.1.200 276
255.255.255.255 255.255.255.255 En vínculo 10.254.254.21 276
===========================================================================
Thanks in advanced.
Regards.
07-09-2013 03:39 PM
That's odd. I wouldn't expect that route based on the access-list in configuration you posted.
Does the VPN client show the route is coming from the VPN also? (Statistics, Route Details)
07-09-2013 03:51 PM
Hello,
The Route Details in VPN client show only the routes associated to split tunneling (192.168.0.0./24).
I have changed the ACL today and before included the network 10.0.0.0/8. The issue is that I have disconnected
and connected the IPSEC session to receive the new configuration. In route details (VPN client) every is ok but
the 10.0.0.0/8 route always appears.
Thanks
07-09-2013 04:42 PM
You may be something related to this posting where your local network (10.0.0.0/8) includes the vpnpool for the IPSec client (10.254.254.0/27). On the ASA, you can "excludespecified" in a group but I don't think you can on an IOS-based VPN.
I wonder what would happen if you added a 2nd line to your acl with an explicit deny to the 10.0.0.0/8 for 192.168.0.0/24.
Are you able to manually delete the route on the client (route DELETE)?
07-11-2013 03:17 PM
Hello,
I do not agree that the problem is the same as the posting is commeted. Anyway manually delete the route
let us working.
Thank you so much.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide