05-04-2011 11:36 AM
I have an ASA 5510 running 8.4x and am using a remote access L2TP/IPSEC VPN. The VPN works great. My issue is that I want to populate the client's routing table with a route dynamically when it's connected to the VPN. If I do a Windows "route add XX" the connectivity works, but I can not figure out how to make the ASA VPN stick the route in the client's table. Any help would be apprecaited. Thanks much!
Mike
05-04-2011 02:09 PM
Mike,
AFAIK no l2tp over ipsec implementation supports split-tunneling which seems to be what you're after.
Alternatively (but I don't L2TP on windows side allows this) you could auto launch a script with routes upon connection.
Marcin
05-05-2011 03:01 AM
Hi,
Split tunneling is not supported for L2tp connections. Please go through following doc for workaround:-
http://technet.microsoft.com/en-us/library/bb878117.aspx
Hope this helps,
Regards,
Parminder Sian
05-13-2011 12:33 PM
Thanks for all of the responses.
TAC told me the same thing, that split tunneling was not possible on l2tp-ipsec. Then they said it was, but only for Windows XP clients.
With combination of TAC help and my own trial and error I was able to come up with this configuration on the ASA and it works on XP, Windows 7, Windows 2003, and a Mac:
!INTERNAL NETWORK
route inside 192.168.111.128 255.255.255.192 192.168.222.1 1
!INTERNAL DNS SERVER
route inside 192.168.200.100 255.255.255.255 192.168.222.1 1
!ACL MATCHES STATIC ROUTES
access-list TUNNEL-THIS standard permit 192.168.111.128 255.255.255.192
access-list TUNNEL-THIS standard permit host 192.168.200.100
!THE MAGIC
group-policy DefaultRAGroup attributes
dns-server value 192.168.200.100
vpn-tunnel-protocol ikev1 l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TUNNEL-THIS
intercept-dhcp 255.255.255.0 enable
The only caviet is that some clients do not use the VPN provided DNS server 192.168.200.100 after they connect to the VPN; they use their original one they had from their main network stack. In my case this means that they can only connect to internal resources by IP and not by DNS name.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide