Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

Aditional routes in split tunneling

Hello,

we are using  a c1841 with IOS version c1841-advsecurityk9-mz.124-15.T.bin. As remote software we use VPN client version 5.0.07.0410.

My configuration is:

 

crypto isakmp policy 3

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group integra-group

key purieggs

dns 192.168.0.100

wins 192.168.0.100

domain f-integra.org

pool integra-pool

acl integra-acl

ip access-list extended integra-acl

permit ip 192.168.0.0 0.0.0.255 10.254.254.0 0.0.0.31

!

We want to use split tunneling in order to only traffic to 192.168.0.0/24 will be encrypted.

The IPSEC session is OK but when you check the routes installed in the remote client SO, besides 192.168.0.0/24 there also is

other routes as 10.0.0.0/8 that we are not using. Why?. We have problems because traffic to network 10.0.0.0/8 must not be encrypted.

The client use network 192.168.1.0/24 and the IPSEC pool is 10.254.254.0/255.255.255.224.

IPv4 Tabla de enrutamiento

===========================================================================

Rutas activas:

Destino de red        Máscara de red   Puerta de enlace   Interfaz  Métrica

          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.200     20

         10.0.0.0        255.0.0.0      En vínculo     10.254.254.21    276

    10.254.254.21  255.255.255.255      En vínculo     10.254.254.21    276

   10.255.255.255  255.255.255.255      En vínculo     10.254.254.21    276

     X.X.X.X 255.255.255.255    192.168.1.254    192.168.1.200    100

        127.0.0.0        255.0.0.0      En vínculo         127.0.0.1    306

        127.0.0.1  255.255.255.255      En vínculo         127.0.0.1    306

  127.255.255.255  255.255.255.255      En vínculo         127.0.0.1    306

      192.168.0.0    255.255.255.0         10.0.0.1    10.254.254.21    100

      192.168.1.0    255.255.255.0      En vínculo     192.168.1.200    276

    192.168.1.200  255.255.255.255      En vínculo     192.168.1.200    276

    192.168.1.254  255.255.255.255      En vínculo     192.168.1.200    100

    192.168.1.255  255.255.255.255      En vínculo     192.168.1.200    276

        224.0.0.0        240.0.0.0      En vínculo         127.0.0.1    306

        224.0.0.0        240.0.0.0      En vínculo     192.168.1.200    276

        224.0.0.0        240.0.0.0      En vínculo     10.254.254.21    276

  255.255.255.255  255.255.255.255      En vínculo         127.0.0.1    306

  255.255.255.255  255.255.255.255      En vínculo     192.168.1.200    276

  255.255.255.255  255.255.255.255      En vínculo     10.254.254.21    276

===========================================================================

Thanks in advanced.

Regards.

4 REPLIES
Hall of Fame Super Silver

Aditional routes in split tunneling

That's odd. I wouldn't expect that route based on the access-list in configuration you posted.

Does the VPN client show the route is coming from the VPN also? (Statistics, Route Details)

Aditional routes in split tunneling

Hello,

The Route Details in VPN client show only the routes associated to split tunneling (192.168.0.0./24).

I have changed the ACL today and before included the network 10.0.0.0/8. The issue is that I have disconnected

and connected the IPSEC session to receive the new configuration. In route details (VPN client) every is ok but

the 10.0.0.0/8 route always appears.

Thanks

Hall of Fame Super Silver

Aditional routes in split tunneling

You may be something related to this posting where your local network (10.0.0.0/8) includes the vpnpool for the IPSec client (10.254.254.0/27). On the ASA, you can "excludespecified" in a group but I don't think you can on an IOS-based VPN.

I wonder what would happen if you added a 2nd line to your acl with an explicit deny to the 10.0.0.0/8 for 192.168.0.0/24.

Are you able to manually delete the route on the client (route DELETE)?

Aditional routes in split tunneling

Hello,

I do not agree that the problem is the same as the posting is commeted. Anyway manually delete the route

let us working.

Thank you so much.

Regards

365
Views
3
Helpful
4
Replies
CreatePlease to create content