cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
989
Views
0
Helpful
10
Replies

Split tunnel with a difference

simplecisco
Level 1
Level 1

I need to configure a VPN3020 to tunnel everthing from RA clients except a specific internet subnet

So I need clients to access all networks except the a.b.c.d/24 network which I need them to access directly from their internet connection.

I have played with the split tunnel options but cannot get this to work.

The only way I can see is to set a tunnel list and list all possible networks except the a.b.c.d/24 network

there must be an easier way?

10 Replies 10

andrew.prince
Level 10
Level 10

Why?

Are you using internal RFC1918 addresses on your inside network? Or internet routable internet addresses on your internal network?

We are now using a cloud based web filtering solution so clients at home need access to this directly from the laptop and also need vpn access to internal networks. I could tunnel only internal networks but that means clients could access everything on the internet. I only want to bypass the tunnel for a single internet routeable range.

OK - understood have you tried:-

1) Create the network list of the network you do not want to tunnel

2) Under the remote VPN profile goto "Client Config"

3) check "Tunnel Everything" and check "Allow networks IN list to BYPASS the tunnel"

??????

I did that but when I bring up statistics it says secured routes 0.0.0.0 0.0.0.0

No networks showing in Local Lan?

I am in the right place then.....

You have to configure the "exception" can you post a screenshot of your concentrtator config?

Which bit? The Client config?

Where do I configure the exception?

I have the networks I do not want to tunnel in the Split Tunneling Network List.

Split Tunneling policy set to Tunnel Everything & allow networks in list to bypass tunnel is ticked.

However when connecing secured routes are 0.0.0.0 not local lan routes?

OK

From the main login screen

Goto Configuration

Goto User Management

Goto Groups

Highlight the RVPN group then press Modify Group

Goto Client Config

Scroll down to the bottom of the page

You should see something like the attached.

Thanks for the info, I have already tried to configure that and it achieves the result partly.

I specify the internal networks which get tunneled and everything else can go direct out the clients broadband however I want to limit what goes out direct to only a specific subnet.

For some reason the split tunnel policiy is not working.

So the only way I can see of achieving this is to create an Inside network list which consists of every network from 1-197 then every network from 199 - 255

Leaving out the required 197.*.*.* network which I want to route directly

Just need to get clever with the wildcard masks!

I have attached the screenshot again.

What you need to try is:-

1) Create a network list with 197.0.0.0 255.0.0.0

2) Configure on the clientConfig

Enable - Tunnel Everything

Enable - Allow the networks in the list to bypass the tunnel

Choose your network list in the "Split tunnel network list" for the 197.0.0.0

Then ALL traffic should be encrypted - except the 197.x.x.x

that is what I originally tried and it didn't work. So I was racking my brains trying something else.

I will revisit it again.

thanks for all your advice

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: