hi,

at first "thanks" for the fast response. you are right, we would like to tunnel every traffic through the concentrator, so basically the client shouldn't be able to send traffic to any network/system but the concentrator.

As far as i understand "split tunneling" seems to offer the functionality we search. It's currently configured with "Tunnel everything"- so i don't understand why to disable this function?

Is there maybe a documentation for this task available?

No, Enabling Split tunneling means, only specific traffic would be tunneled, and the Internet traffic would go out unencrypted.

So, you should go for "Tunnel everything" option.

To read more about it :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00806f34fa.shtml

*Please rate if helped.

-Kanishka

ok, thanks you for the input.

As far as i can see from the link you sent me we can use the split-functionality for our needs.

I would define a wildcard-network within the "network list" 0.0.0.0/255.255.255.255 and assign it to the "client config"-settings of the vpn-group.

The point i don't understand is where the difference is compared to the setting "Tunnel everything" (we already use), and which is obviously not working as i would expect it to work.

No, Using a wild card subnet as "0.0.0.0/255.255.255.255" for split tunnel is equivalen to use "Tunnel evrything".

With "tunnel everything", split tunnel is disbaled.

With the wild card in the split tunnel network list, it is enabled but for "any" n/w, so thats again same as "Tunnel Everything".

If you still have confusiions with how split tunnel works, please feel free to ask.

*Please rate if helped.

-Kanishka

yes, thats exactly the way i understand "split tunneling".

But the "tunnel everything" is the function i request in my previous posts. _Everything_ (including Internet-traffic) should passed through the VPN-tunnel. The client should _not_ be able to send traffic to anywhere but the concentrator and through the tunnel.

Although we activated "tunnel everything" the client is still able to send traffic _without_ using a tunnel.

Hi,

It should work am not sure why its not working for you. Please make sure:

1: Tunnel Everything is enabled for the correct group.

2: When the client is connected, Right click on the Lock icon in the system tray and click on "Statistics". Under Route Details----> Securred Routes, what network do you see ?

If its 0.0.0.0, it meeans split tunnel is disabled.

Then do a traceroute to any public ip on internet, to verify where the traffic is routed.

Also, capture "route print" when the client is connected. Please post the output here.

-Kanishka

hi,

at first thanks for the feedback. i will offer the requested information as soon as possible.

but have another question concerning the tunnel.

The users are mobile users working partly from outside the internal network via the vpn-tunnel and partly from inside the network. In case 2 there's no tunnel needed, this is why i would like to know if it's possible to differentiate if a client is within the local network or not and dependent on this decide if a tunnel-connect is needed or not.

Hi,

For internal users you do not need to create a tunnel.

Internal users anyhow would not be able to connect to the same concentrator's public ip address.

*Please rate if helped.

-Kanishka