Solved: Re: How to push route to Cisco VPN Client 5.0.x / Change to TCP

NISITNETC · ‎04-21-2011

We are using a CISCO1921-SEC (ISR) with IOS 15.1 and we configured a "crypto isakmp client configuration group". We can connect with the "Cisco System VPN Client Version 5.0.07.0410" via IPSec/UDP.

1. Is it possible to push routing informations to the System running the VPN Client ? A the moment all traffic is routed to the tunnel but we like only one route to the network permitted with "pool ..." in the "crypto isakmp client configuration group NAME" section.

2. We searched for changing from upd connection to tcp connection via special port. Is it possible with IOS 15.1 on the CISCO1921-SEC ? Is there something possible like "iskamp ipsec-over-tcp port 10000" ?

Yudong Wu · ‎04-21-2011

1. For push route to VPN client, you just need enable split-tunnel. Here is the example.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml

basically, you can define a ACL like following,

access-list 10 permit 10.1.1.0 0.0.0.255, where 10.1.1.0/24 is the route which you would like to push to vpn client.

then in "crypto isakmp client configuration group xxxx", use "acl" command to refer to the above ACL.

2. to enable ipsec over TCP, you need configure "crypto ctcp port xxxx" on router and on the client side, enable ipsec over tcp for the specific port as well.

View solution in original post

Yudong Wu · ‎04-21-2011

1. For push route to VPN client, you just need enable split-tunnel. Here is the example.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml

basically, you can define a ACL like following,

access-list 10 permit 10.1.1.0 0.0.0.255, where 10.1.1.0/24 is the route which you would like to push to vpn client.

then in "crypto isakmp client configuration group xxxx", use "acl" command to refer to the above ACL.

2. to enable ipsec over TCP, you need configure "crypto ctcp port xxxx" on router and on the client side, enable ipsec over tcp for the specific port as well.

NISITNETC · ‎04-21-2011

Thanks.

(1) "access-list 10" will not work, because "acl" needs a number 100-199

<100-199> access-list number for split-tunneling

and it works fine. I added this

crypto isakmp client configuration group AAA

(...)

acl 120

(...)

access-list 120 remark -----------------------------------------------------------

access-list 120 remark VPN CLIENT - acl

access-list 120 permit ip 10.10.10.0 0.0.0.255 any

and on Win7 we can find now only this route to the Tunnel IP on the VPN-Router. Works well !

(2) I tried

crypto ctcp port 10000

but no connection via TCP/10000 was possible; only the old UDP connection still worked. Do I have to restart a service ?

Yudong Wu · ‎04-21-2011

Is there any NAT device between client and VPN headend?

I think NAT-T, IPSec-over-UDP and IPSec-over-TCP only kicks in when there is a NAT devices between client and vpn server.

NISITNETC · ‎04-22-2011

> Is there any NAT device between client and VPN headend?

Yes, I think so. The VPN Client in this case is connected behind NAT via HSDPA (UMTS); the cell-net provider gives no direct IP to the customer end. But another connection to a Cisco Concetrator (not our network) works well with TCP/10000; and this happens outside our network.

The VPN headend (CISCO1921-SEC) has an DHCP-Interface with one IP/32 that has "nat ouside" configured to mask outgoing traffic from the LAN Interface. But with the same NAT configuration the UDP (standard) setup woked well ?!

> I think NAT-T, IPSec-over-UDP and IPSec-over-TCP only kicks in when there is a NAT devices between client and vpn server.

The UDP Connection was ok ...

Yudong Wu · ‎04-22-2011

"The UDP Connection was ok ..."

Could you check from your vpn client to see if it is using UDP 4500?

By the way, did you configure the vpn client to use the related TCP port?

NISITNETC · ‎04-24-2011

> Could you check from your vpn client to see if it is using UDP 4500?

Yes - ist configured with UDP (Port not shown) - it works.

> By the way, did you configure the vpn client to use the related TCP port?

Yes - I changed from UDP to TCP + Port 10000, as on the 1921 configured.

Yudong Wu · ‎04-25-2011

In VPN client -> Statistics, if you don't see "Transparent Tunneling" is active, that means NAT-T or IPSec-over-TCP did not kick in at all.

Does your vpn connection work? I mean you can reach the internal network from client after VPN is up.

You might try this IPSec over TCP feature on the client where NAT-T can kick in.

In general, if there is NAT devices between VPN server and client, NAT-T or IPSec-over-TCP should kick in.

But to my knowledge, some nat device might have VPN-passthrough feature which handles VPN traffic differently and NAT-T won't kick in in this situation.

NISITNETC · ‎04-27-2011

> In VPN client -> Statistics, if you don't see "Transparent Tunneling"

> is active, that means NAT-T or IPSec-over-TCP did not kick in at all.

> Does your vpn connection work? I mean you can reach the internal

> network from client after VPN is up.

I just reinstalled the VPN Client and now it's working. I can access both now: UDP/4500 and TCP/10000. Now clients can try both if outside networks have udp restrictions or nat problems !

How to push route to Cisco VPN Client 5.0.x / Change to TCP ?