Force tunnel usage

Unanswered Question
Mar 7th, 2007


i would like to know if it's possible to force vpn-users (Cisco VPN-client) to establish a tunnel with the vpn-gateway (cisco vpn concentrator 3000 series). We would like to prevent users from sending data to networks not belonging to the company-network directly (e.g. direct Internet-access).

Thanks you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kaachary Wed, 03/07/2007 - 02:25


If I understood the problem right, you want the VPN clients to send all their traffic (including Internet traffic) to the concentrator through the tunnel, and traffic for Internet will be routed throug the concentrator.

Please correct me if I am wrong.

In this case, first of all you need to disable Split tunneling for the clients.

Then you have to make sure you do not have a TDG (Tunnel Default Gateway ) configured.

Then, you will create a Interface PAT rule on the concetrator VPN client pool, so that traffic from client can go out to the Internet.

You should be good to go then.

*Please rate if helped.


malte.spille Wed, 03/07/2007 - 06:07


at first "thanks" for the fast response. you are right, we would like to tunnel every traffic through the concentrator, so basically the client shouldn't be able to send traffic to any network/system but the concentrator.

As far as i understand "split tunneling" seems to offer the functionality we search. It's currently configured with "Tunnel everything"- so i don't understand why to disable this function?

Is there maybe a documentation for this task available?

malte.spille Thu, 03/08/2007 - 00:19

ok, thanks you for the input.

As far as i can see from the link you sent me we can use the split-functionality for our needs.

I would define a wildcard-network within the "network list" and assign it to the "client config"-settings of the vpn-group.

The point i don't understand is where the difference is compared to the setting "Tunnel everything" (we already use), and which is obviously not working as i would expect it to work.

kaachary Thu, 03/08/2007 - 01:25

No, Using a wild card subnet as "" for split tunnel is equivalen to use "Tunnel evrything".

With "tunnel everything", split tunnel is disbaled.

With the wild card in the split tunnel network list, it is enabled but for "any" n/w, so thats again same as "Tunnel Everything".

If you still have confusiions with how split tunnel works, please feel free to ask.

*Please rate if helped.


malte.spille Thu, 03/08/2007 - 02:07

yes, thats exactly the way i understand "split tunneling".

But the "tunnel everything" is the function i request in my previous posts. _Everything_ (including Internet-traffic) should passed through the VPN-tunnel. The client should _not_ be able to send traffic to anywhere but the concentrator and through the tunnel.

Although we activated "tunnel everything" the client is still able to send traffic _without_ using a tunnel.

kaachary Thu, 03/08/2007 - 04:47


It should work am not sure why its not working for you. Please make sure:

1: Tunnel Everything is enabled for the correct group.

2: When the client is connected, Right click on the Lock icon in the system tray and click on "Statistics". Under Route Details----> Securred Routes, what network do you see ?

If its, it meeans split tunnel is disabled.

Then do a traceroute to any public ip on internet, to verify where the traffic is routed.

Also, capture "route print" when the client is connected. Please post the output here.


malte.spille Thu, 03/15/2007 - 01:04


at first thanks for the feedback. i will offer the requested information as soon as possible.

but have another question concerning the tunnel.

The users are mobile users working partly from outside the internal network via the vpn-tunnel and partly from inside the network. In case 2 there's no tunnel needed, this is why i would like to know if it's possible to differentiate if a client is within the local network or not and dependent on this decide if a tunnel-connect is needed or not.

kaachary Thu, 03/15/2007 - 06:30


For internal users you do not need to create a tunnel.

Internal users anyhow would not be able to connect to the same concentrator's public ip address.

*Please rate if helped.



This Discussion