vpn - Split Tunnel and Cisco AnyConnect

17
2014-04
  • Nathan

    I am using Cisco AnyConnect Secure Mobility Client 3.1.02026 on Windows 7 64-bit. I have heard there is a checkbox which enables split tunneling. However, this checkbox is removed from the GUI probably due to the administrator's settings. The administrator doesn't want to make any configuration changes. I would like to force split tunneling. How? It's okay if the solution uses a different VPN client. The solution can not make any changes on the VPN server. I have tried a virtual machine and it works, but I would like a more convenient solution. I have tried messing around with route table but I failed probably due to lack of knowing how to do it right.

    Here is my route print before connecting to the VPN.

    ===========================================================================
    Interface List
     14...00 1e 4f d7 64 5b ......Intel(R) 82566DM-2 Gigabit Network Connection
      1...........................Software Loopback Interface 1
     25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     27...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.3     10
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          169.254.0.0      255.255.0.0         On-link       192.168.1.3     11
      169.254.255.255  255.255.255.255         On-link       192.168.1.3    266
          192.168.1.0    255.255.255.0         On-link       192.168.1.3    266
          192.168.1.3  255.255.255.255         On-link       192.168.1.3    266
        192.168.1.255  255.255.255.255         On-link       192.168.1.3    266
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       192.168.1.3    266
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       192.168.1.3    266
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
          169.254.0.0      255.255.0.0      192.168.1.3       1
              0.0.0.0          0.0.0.0     10.154.128.1       1
    ===========================================================================
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     27     58 ::/0                     On-link
      1    306 ::1/128                  On-link
     27     58 2001::/32                On-link
     27    306 2001:0:5ef5:79fd:3431:3b25:b736:1859/128
                                        On-link
     14    266 fe80::/64                On-link
     27    306 fe80::/64                On-link
     27    306 fe80::3431:3b25:b736:1859/128
                                        On-link
     14    266 fe80::3933:bb6f:892:d161/128
                                        On-link
      1    306 ff00::/8                 On-link
     27    306 ff00::/8                 On-link
     14    266 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None
    

    Here is my route print after connecting to the VPN.

    ===========================================================================
    Interface List
     19...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
     14...00 1e 4f d7 64 5b ......Intel(R) 82566DM-2 Gigabit Network Connection
      1...........................Software Loopback Interface 1
     25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     27...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    167...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.3     10
              0.0.0.0          0.0.0.0     10.154.128.1     10.154.159.8      2
         10.154.128.0    255.255.224.0         On-link      10.154.159.8    257
         10.154.159.8  255.255.255.255         On-link      10.154.159.8    257
       10.154.159.255  255.255.255.255         On-link      10.154.159.8    257
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
         137.254.4.91  255.255.255.255      192.168.1.1      192.168.1.3     11
          169.254.0.0      255.255.0.0         On-link      10.154.159.8    306
          169.254.0.0      255.255.0.0         On-link       192.168.1.3    306
      169.254.255.255  255.255.255.255         On-link      10.154.159.8    257
      169.254.255.255  255.255.255.255         On-link       192.168.1.3    266
          192.168.1.1  255.255.255.255         On-link       192.168.1.3     11
          192.168.1.3  255.255.255.255         On-link       192.168.1.3    266
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       192.168.1.3    266
            224.0.0.0        240.0.0.0         On-link      10.154.159.8    257
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       192.168.1.3    266
      255.255.255.255  255.255.255.255         On-link      10.154.159.8    257
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
          169.254.0.0      255.255.0.0      192.168.1.3       1
              0.0.0.0          0.0.0.0     10.154.128.1       1
    ===========================================================================
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     19     11 ::/0                     On-link
      1    306 ::1/128                  On-link
     19    266 fe80::/64                On-link
     19    266 fe80::2a78:5341:7450:2bc1/128
                                        On-link
     14    266 fe80::3933:bb6f:892:d161/128
                                        On-link
     19    266 fe80::c12f:601f:cdf:4304/128
                                        On-link
     19    266 fe80::c5c3:8e03:b9dd:7df5/128
                                        On-link
      1    306 ff00::/8                 On-link
     14    266 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None
    
  • Answers
  • ubiquibacon

    First understand that the reason your network admins have disallowed split tunneling is because it potentially allows any malicious person/code to circumvent the security measures that have been implemented by accessing the network via your computer. Believe me I know not having a split tunnel is annoying, but ask your self is it worth the risk?

    Now that warnings are out of the way I can tell you Cisco AnyConnect prevents a split tunnel by temporarily re-writing the routing table of the host computer. Use route print before you start AnyConnect and use it again after to see the differences. You can write a script to adjust the routing table and run it after you start AnyConnect. An easier solution that probably doesn't violate your networks usage policy is simply using a VM with AnyConnect. Your host's NIC doesn't get locked down and you don't break any rules... best of both worlds.

  • Nathan

    I haven't figured out how to split tunnel with Cisco AnyConnect. Here's my work around.

    I tried using VPNC Front End but a generic error message prevented me from fixing the connection settings. I needed to add "Application version Cisco Systems VPN Client 4.8.01 (0640):Linux" into default.conf. Also, once the connection was established, I couldn't access anything in the remote LAN. I needed to create a batch file which added routes for the remote LAN IP addresses (e.g. route add 10.0.0.0 mask 255.0.0.0 10.85.37.1 metric 9 IF 180). The same batch file also had to configure to use the remote LAN's DNS servers first before my ISP's DNS servers (e.g. netsh interface ipv4 add dns "Local Connection 2" 42.23.24.46 index=1)

    To get a more detailed error message, I followed the instructions on BMC. I had to install additional packages: Net openssl, Devel Libs openssl-devel and Interpreters perl.


  • Related Question

    vpn - Connect trough remote computer connection
  • Didac

    First, sorry for my english and my poor knowlodge of this subject.

    I have a dedicated server placed in Germany (windows 2008 R2) and I live in spain. I would like to access internet from my home computer (Windows 7 Pro x64), trough my server in Germany, so I can use a German IP, what I need some times.

    I have complete acces in to both computers, but I just don't know where to start. (My knwoledge is limited to software development :/ )

    I'd like to know where to start, if I need to create a VPN and so..

    Thanks in advance!

    Update 1

    I tried a lot of options of OpenVPN, but I sadly I know nothing abuot networking, so I have to accept I do not know what I'm doing :(

    Here are my config files (note most of the options are from the sample config files).

    server.conf

    #server config file start
    
    
    port 1194
    proto udp
    dev tun
    server 10.0.0.0 255.255.255.224   #you may choose any subnet. 10.0.0.x is used for this example.
    
    ca "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\ca.crt" 
    cert "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\server.crt" 
    key "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\server.key" 
    dh "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\dh1024.pem" 
    
    push "redirect-gateway def1"
    
    push "dhcp-option DNS 8.8.8.8"
    
    #the following commands are optional
    keepalive 10 120         
    comp-lzo                   
    persist-key               
    persist-tun               
    verb 5                   
    
    
    #config file ends
    

    client.conf

    #client  config file start
    
    client
    dev tun
    proto udp
    remote 176.9.99.180 1194   
    
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    
    ca "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\ca.crt"
    cert "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\client1.crt"
    key "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\client1.key"
    ns-cert-type server
    
    comp-lzo
    verb 5
    explicit-exit-notify 2
    ping 10
    ping-restart 60
    
    route-method exe
    route-delay 2
    
    # end of client config file
    

    And here's the server's network settings:

    IP address: 176.9.99.180 Subnet mask: 255.255.255.224 Default gateway: 176.9.99.161

    Preferred DNS server: 127.0.0.1

    Update 2

    Here's the routing table:

    ===========================================================================
    Interface List
     14...00 ff e4 70 31 16 ......TAP-Win32 Adapter V9
     11...54 04 a6 7e ee ae ......Realtek PCIe GBE Family Controller
      1...........................Software Loopback Interface 1
     10...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
     12...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     176.9.99.161     176.9.99.180     11
             10.0.0.0  255.255.255.224         10.0.0.2         10.0.0.1     30
             10.0.0.0  255.255.255.252         On-link          10.0.0.1    286
             10.0.0.1  255.255.255.255         On-link          10.0.0.1    286
             10.0.0.3  255.255.255.255         On-link          10.0.0.1    286
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
         176.9.99.160  255.255.255.224         On-link      176.9.99.180    266
         176.9.99.180  255.255.255.255         On-link      176.9.99.180    266
         176.9.99.191  255.255.255.255         On-link      176.9.99.180    266
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link          10.0.0.1    286
            224.0.0.0        240.0.0.0         On-link      176.9.99.180    266
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link          10.0.0.1    286
      255.255.255.255  255.255.255.255         On-link      176.9.99.180    266
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0     176.9.99.161       1
    ===========================================================================
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     10     58 ::/0                     On-link
      1    306 ::1/128                  On-link
     10     58 2001::/32                On-link
     10    306 2001:0:5ef5:73b8:ce2:1218:4ff6:9c4b/128
                                        On-link
     14    286 fe80::/64                On-link
     11    266 fe80::/64                On-link
     10    306 fe80::/64                On-link
     10    306 fe80::ce2:1218:4ff6:9c4b/128
                                        On-link
     14    286 fe80::7c23:a:ec4e:2cfc/128
                                        On-link
     11    266 fe80::bd18:6249:9f7d:89a2/128
                                        On-link
      1    306 ff00::/8                 On-link
     10    306 ff00::/8                 On-link
     14    286 ff00::/8                 On-link
     11    266 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None
    

  • Related Answers
  • laurent

    If you only need to use a German IP, you can install/configure a proxy on the server and access internet using this proxy on your home computer.

    A VPN would do the job too but I think it's too much if you only need to access internet with a German IP.