vpn - Split Tunnel and Cisco AnyConnect
2013-10
I am using Cisco AnyConnect Secure Mobility Client 3.1.02026 on Windows 7 64-bit. I have heard there is a checkbox which enables split tunneling. However, this checkbox is removed from the GUI probably due to the administrator's settings. The administrator doesn't want to make any configuration changes. I would like to force split tunneling. How? It's okay if the solution uses a different VPN client. The solution can not make any changes on the VPN server. I have tried a virtual machine and it works, but I would like a more convenient solution. I have tried messing around with route table but I failed probably due to lack of knowing how to do it right.
Here is my route print
before connecting to the VPN.
===========================================================================
Interface List
14...00 1e 4f d7 64 5b ......Intel(R) 82566DM-2 Gigabit Network Connection
1...........................Software Loopback Interface 1
25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
27...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 192.168.1.3 11
169.254.255.255 255.255.255.255 On-link 192.168.1.3 266
192.168.1.0 255.255.255.0 On-link 192.168.1.3 266
192.168.1.3 255.255.255.255 On-link 192.168.1.3 266
192.168.1.255 255.255.255.255 On-link 192.168.1.3 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.3 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.3 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.0.0 255.255.0.0 192.168.1.3 1
0.0.0.0 0.0.0.0 10.154.128.1 1
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
27 58 ::/0 On-link
1 306 ::1/128 On-link
27 58 2001::/32 On-link
27 306 2001:0:5ef5:79fd:3431:3b25:b736:1859/128
On-link
14 266 fe80::/64 On-link
27 306 fe80::/64 On-link
27 306 fe80::3431:3b25:b736:1859/128
On-link
14 266 fe80::3933:bb6f:892:d161/128
On-link
1 306 ff00::/8 On-link
27 306 ff00::/8 On-link
14 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Here is my route print
after connecting to the VPN.
===========================================================================
Interface List
19...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
14...00 1e 4f d7 64 5b ......Intel(R) 82566DM-2 Gigabit Network Connection
1...........................Software Loopback Interface 1
25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
27...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
167...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 10
0.0.0.0 0.0.0.0 10.154.128.1 10.154.159.8 2
10.154.128.0 255.255.224.0 On-link 10.154.159.8 257
10.154.159.8 255.255.255.255 On-link 10.154.159.8 257
10.154.159.255 255.255.255.255 On-link 10.154.159.8 257
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
137.254.4.91 255.255.255.255 192.168.1.1 192.168.1.3 11
169.254.0.0 255.255.0.0 On-link 10.154.159.8 306
169.254.0.0 255.255.0.0 On-link 192.168.1.3 306
169.254.255.255 255.255.255.255 On-link 10.154.159.8 257
169.254.255.255 255.255.255.255 On-link 192.168.1.3 266
192.168.1.1 255.255.255.255 On-link 192.168.1.3 11
192.168.1.3 255.255.255.255 On-link 192.168.1.3 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.3 266
224.0.0.0 240.0.0.0 On-link 10.154.159.8 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.3 266
255.255.255.255 255.255.255.255 On-link 10.154.159.8 257
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.0.0 255.255.0.0 192.168.1.3 1
0.0.0.0 0.0.0.0 10.154.128.1 1
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
19 11 ::/0 On-link
1 306 ::1/128 On-link
19 266 fe80::/64 On-link
19 266 fe80::2a78:5341:7450:2bc1/128
On-link
14 266 fe80::3933:bb6f:892:d161/128
On-link
19 266 fe80::c12f:601f:cdf:4304/128
On-link
19 266 fe80::c5c3:8e03:b9dd:7df5/128
On-link
1 306 ff00::/8 On-link
14 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
First understand that the reason your network admins have disallowed split tunneling is because it potentially allows any malicious person/code to circumvent the security measures that have been implemented by accessing the network via your computer. Believe me I know not having a split tunnel is annoying, but ask your self is it worth the risk?
Now that warnings are out of the way I can tell you Cisco AnyConnect prevents a split tunnel by temporarily re-writing the routing table of the host computer. Use route print
before you start AnyConnect and use it again after to see the differences. You can write a script to adjust the routing table and run it after you start AnyConnect. An easier solution that probably doesn't violate your networks usage policy is simply using a VM with AnyConnect. Your host's NIC doesn't get locked down and you don't break any rules... best of both worlds.
I don't know if it is possible but I would like to configure a Windows 7 VPN connection in a way that I can connect to a network which I normally reach by using Cisco AnyConnect VPN Client. Does Cisco use a protocol which Windows 7 understands also and where can I find the configuration details of the VPN connection?
If you wonder why I'm trying to do this: I need to connect via VPN to several different networks from different companies/organizations/universities and each one uses its own VPN client. I don't want my computer to have 5 VPN clients installed, therefore I'm trying to replace them with simple Windows VPN connections.
That greatly depends on the configuration of the server. Cisco Concentrators can speak PPTP which works on nearly every version of Windows, but it's costly in terms of performance. The number of possible connections drops to about a tenth for the server so this is rarely activated.
Furthermore there seems to be an option to enable L2TP. The documentation states that but at least for our university here no one figured out how to enable it and set it up.
You would have to ask the person maintaining the server whether one of the above options apply.
For the "usual" Cisco IPSec over UDP there is no native option in Windows, unfortunately.