Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1270
Views
5
Helpful
2
Replies

easy VPN - split tunnel

Hubert Wisniewski
Level 1
Level 1

‎12-03-2012 01:15 PM

Hello,

I'm trying to find  reasons of strange (for me) easy VPN behaviour. I added split tunneling  into server configuration and my 1st ACL looks like:

access-list 102 permit ip 20.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255

when I pinged (from source 10.10.10.X) to 20.0.0.20 I saw increasing numbers of encr and decr packets:

#pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38

    #pkts decaps: 46, #pkts decrypt: 46, #pkts verify: 46

When I changed my ACL:

access-list 102 permit tcp 20.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 eq telnet

I expected only telnet will be pushed into tunnel but I found that ping also increased numbers of encr&decr packets.

Do  you know why ? Is it just limitation and I can't split it into  different protocols ? I'm confused becaseu client is aware of ACL  (protocol tcp and telnet port):

r4#sh crypto ipsec client ezvpn

Easy VPN Remote Phase: 4

Tunnel name : VPN

Inside interface list: Ethernet1/0

Outside interface: FastEthernet0/0

Current State: IPSEC_ACTIVE

Last Event: SOCKET_UP

Address: 20.0.0.5

Mask: 255.255.255.255

Save Password: Allowed

Split Tunnel List: 1

       Address    : 20.0.0.0

       Mask       : 255.255.255.0

      Protocol   : 0x6

       Source Port: 0

      Dest Port  : 23

Current EzVPN Peer: 10.0.0.1

regards

Hubert

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-04-2012 01:15 AM

Hubert,

Check what was actually added you your SA DB.

"show crypto ipsec sa | i caps|ident" will give you a nice overview.

M.

Hubert Wisniewski
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-04-2012 03:00 AM

Hi,

I can't believe what I found:

1) client VPN mode: client

acl ignores destination and protocols, even if ACL looks like below:

access-list 102 permit tcp 20.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 eq telnet

the command:  "show crypto ipsec sa | i caps|ident" show you protocol and port = 0

"

local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)

"

b) client VPN mode: network-extension

acl 102 the same:

access-list 102 permit tcp 20.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 eq telnet

but output totally different:

"

local  ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/6/23)

   remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/6/0)

"

and in this mode the feature behaves as I expected (only telnet, not ping is pushed into tunnel), but be honest I'm not realy sure why, the different behaviour in two modes isn't documented (or I can't find it)

Thanks

Hubert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents