***Solved*** Split Tunnel networks not showing up on client PC - Router 3825 - DVTI ***Solved***

TJ-20933766 · ‎10-17-2016

Attempting to create a remote access VPN for teleworker scenario using Cisco VPN Client on a laptop back to a Cisco 3825 router running (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M12a. I've done this many times on ASA platforms but not on a router.

I've added the internal networks the client will access via the tunnel in an ACL which is applied under the "crypto isakmp client configuration group IPSEC". I can see the routes in my Cisco VPN Client if I go to statistics > routes but I don't see them listed if I open up a command prompt and do a "route print". I would normally see these routes if I was connecting to an ASA but not here.

What's odd is that I can ping the PC from a router on the network (10.0.63.2) just fine but if I initiate a ping to the same router from the PC, it times out. If I do a trace route to the router, I show traffic not entering the tunnel. A packet capture further verifies this.

If I manually add a route on the PC for 10.0.63.0/30 with the default gateway of 192.168.254.1 then I can ping the router from the PC. What I need is for the routes to automatically update on the PC when connected to the 3825 just like when I connect to an ASA.

Here is a copy of the config on the router:

aaa new model
aaa authentication login local_list local
aaa authentication network local_list local
!
object-group network LOCAL-LAN
 10.0.61.0 255.255.255.0
 10.0.62.0 255.255.255.0
 10.0.63.0 255.255.255.252
!
class-map type inspect match-any INTERNET-TRAFFIC-CLASS
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp
 match protocol ntp
 match protocol ssh
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
 class type inspect INTERNET-TRAFFIC-CLASS
  inspect
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-OUTSIDE-POLICY
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp client configuration group IPSEC
 key ******************************
 pool VPN
 acl SPLIT-TUNNEL-LIST
 save-password
 netmask 255.255.255.240
!
crypto isakmp profile ISAKMP-PROFILE-1
 match identity group IPSEC
 client authentication list local_list
 isakmp authorization list local_list
 client configuration address respond
 virtual-template 2
!
crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC-PROFILE-1
 set transform-set AES-256-SHA
!
interface GigabitEthernet0/0
 ip address 10.0.63.1 255.255.255.252
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
 zone-member security OUTSIDE
 no cdp enable
!
interface Virtual-Template1
 no ip address
!
interface Virtual-Template2 type tunnel
 ip unnumbered GigabitEthernet0/1
 zone-member security INSIDE
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE-1
!
ip local pool VPN 192.168.254.1 192.168.254.14
!
ip nat inside source list LAN-NAT interface GigabitEthernet0/1 overload
!
ip access-list extended LAN-NAT
 permit ip object-group LOCAL-LAN any
ip access-list extended SPLIT-TUNNEL-LIST
 permit ip 10.0.63.0 0.0.0.3 any
 permit ip 10.0.62.0 0.0.0.255 any
 permit ip 10.0.61.0 0.0.0.255 any
<output omitted>

TJ-20933766 · ‎11-26-2016

For some reason the split tunnel will not work if you use a named access list. I changed to the following and the routes showed up on the PC

<output omitted>
crypto isakmp client configuration group IPSEC
 acl 101
<output omitted>
access-list 101 extended 10.0.63.0 0.0.0.3 any
access-list 101 extended 10.0.62.0 0.0.0.255 any
access-list 101 extended 10.0.61.0 0.0.0.255 any
<output omitted>