VPN Exclude List not working

mhurley131 · ‎08-11-2010

I am configuring an SSL and IPSec VPN where I would like to tunnel all traffic except for traffic going to 10.0.0.0/16.

For the group policy I set the policy to "Exclude Network List Below", and then specified a network list which has a permit 10.0.0.0/16 statement (I have also tried making this deny).

At that point I connect to the VPN and it shows that it is "Mode: All Traffic". When I go to the route detail tab it shows a 0.0.0.0/0.0.0.0 for Secured Routes, but nothing under the Non-Secured Routes.

I've tried configuring it again from scratch, and making sure the Connection Profiles are using the correct group policy. I verified this buy changing it to split tunnel, and at that point when I connect it sets the correct network under "Secured Routes".

Any suggestions?

mulatif · ‎08-11-2010

Hi ,

For IPSec VPN Client the below will work

group-policy X

split-tunnel-policy excludespecified

split-tunnel-network-list value Y

For AnyConnect Clients, In addition to above you will need to enable "Enable Local LAN Access" in the AnyConnect Profile.

You can also make this parameter User-Configurable in the profile but in any case, the XML profile needs to be configured and Pushed to the Client.

Thanks,

Naman

Lucas Phelps · ‎10-17-2013

If you are using the Cisco AnyConnect client rather than the older VPN Client, you must turn on this checkbox before split-tunneling exclusions will work:

1) Open Cisco ASDM

2) Click Remote Access VPN section

3) In left-hand pane choose Network (Client) Access > AnyConnect Client Profile

4) Edit the profile and place a checkmark in the box next to Local LAN Access

5) Click OK and then disconnect/reconnect to VPN and check the AnyConnect details window for 'Route Details'. You should see your excluded networks in the 'Non-Secured Routes' section of the AnyConnect client.