08-13-2009 03:47 AM
I need to configure a VPN3020 to tunnel everthing from RA clients except a specific internet subnet
So I need clients to access all networks except the a.b.c.d/24 network which I need them to access directly from their internet connection.
I have played with the split tunnel options but cannot get this to work.
The only way I can see is to set a tunnel list and list all possible networks except the a.b.c.d/24 network
there must be an easier way?
08-13-2009 04:20 AM
Why?
Are you using internal RFC1918 addresses on your inside network? Or internet routable internet addresses on your internal network?
08-13-2009 04:32 AM
We are now using a cloud based web filtering solution so clients at home need access to this directly from the laptop and also need vpn access to internal networks. I could tunnel only internal networks but that means clients could access everything on the internet. I only want to bypass the tunnel for a single internet routeable range.
08-13-2009 04:37 AM
OK - understood have you tried:-
1) Create the network list of the network you do not want to tunnel
2) Under the remote VPN profile goto "Client Config"
3) check "Tunnel Everything" and check "Allow networks IN list to BYPASS the tunnel"
??????
08-13-2009 04:57 AM
I did that but when I bring up statistics it says secured routes 0.0.0.0 0.0.0.0
No networks showing in Local Lan?
I am in the right place then.....
08-13-2009 05:33 AM
You have to configure the "exception" can you post a screenshot of your concentrtator config?
08-13-2009 05:38 AM
Which bit? The Client config?
Where do I configure the exception?
I have the networks I do not want to tunnel in the Split Tunneling Network List.
Split Tunneling policy set to Tunnel Everything & allow networks in list to bypass tunnel is ticked.
However when connecing secured routes are 0.0.0.0 not local lan routes?
08-13-2009 06:22 AM
08-13-2009 10:07 AM
Thanks for the info, I have already tried to configure that and it achieves the result partly.
I specify the internal networks which get tunneled and everything else can go direct out the clients broadband however I want to limit what goes out direct to only a specific subnet.
For some reason the split tunnel policiy is not working.
So the only way I can see of achieving this is to create an Inside network list which consists of every network from 1-197 then every network from 199 - 255
Leaving out the required 197.*.*.* network which I want to route directly
Just need to get clever with the wildcard masks!
08-14-2009 12:48 AM
I have attached the screenshot again.
What you need to try is:-
1) Create a network list with 197.0.0.0 255.0.0.0
2) Configure on the clientConfig
Enable - Tunnel Everything
Enable - Allow the networks in the list to bypass the tunnel
Choose your network list in the "Split tunnel network list" for the 197.0.0.0
Then ALL traffic should be encrypted - except the 197.x.x.x
08-14-2009 05:51 AM
that is what I originally tried and it didn't work. So I was racking my brains trying something else.
I will revisit it again.
thanks for all your advice
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: