[olug] OT: windows 2000, ethernet aliases, webvpn
Shawn Mattingly
smattin at mimezine.org
Mon Jul 28 21:37:44 UTC 2008
You just have to set the other 192.* networks up as allowed internal
networks in the WebVPN server (in a PIX/ASA solution this would be done
with an access list and then the access list would be assigned to the
VPN profile) and then they will show up on your list of routes in the
client when you attach. When you split-tunnel you have to explicitly
identify all traffic that will be going down the tunnel or
it...um...won't. If you don't split-tunnel, *all* traffic from your
host is sent down the VPN tunnel which means you loose all connectivity
to your local devices when the tunnel is active (this is a bummer when
you connect from a home workstation to your place of employment, it's
not so bad if you have a dedicated work laptop).
Also, if one of these 192.* networks that gets pushed from the WebVPN
server happens to conflict with your home network environment, you will
probably be annoyed that you can't connect to your home servers when
your VPN client is connected.
This should be a simple configuration issue and should not require
cutlery of any sort (unless, perhaps, you have a strained relationship
with your VPN administrator).
Will Langford wrote:
>> Unless the group/profile for the third party vpn connection allows split
>> tunneling, you are SOL. Since it is a Cisco Solution, I can 100%
>> guarantee that is does in fact support split tunnels, however, your
>> group/profile is probably not setup as so. This may be due to either
>> policy or shear misconfiguration. you can check this real quick by doing
>> a traceroute to a public site, such as google.com - If it in fact goes
>> via the vpn tunnel you know that split tunneling is more than likely
>> enabled :)
>>
>
>> That is where you need to start, you need to verify split tunneling is
>> enabled. Once that step is complete, you need to ensure overlap on your
>> 192.168's is avoided - using the Cisco client you can also review the
>> routes(SA's) that the concentrator forces you into, it should be a tab
>> called "routes"
>>
>
>
> tracert to google doesn't go through the vpn. route's tab on the
> cisco-vpn-client-program only discusses 10.*. program does mention that
> 'split tunneling' is enabled though.
>
> And with the route:
>
> 192.168.2.0 255.255.255.252 192.168.2.1 192.168.254.1 1
>
> and no other route relating to it etc ... just... why it doesn't attempt to
> go out the cable... its... just.... gay.
>
> I'm going to go stab cisco. Every employee, every piece of hardware.
> Everywhere. Then I'm going to get a time machine, go back into the past by
> 5 seconds, and stab it again. Then go back another 5 seconds.... etc etc
> etc.
>
> i have this stupidly distinct impression i'm going to have change where the
> webvpn is (ie: another box and not on the server with two nics) and setup
> some routes for it... or i'm going to have to change how the client
> connects to the server (ie: not on the isolated network).
>
> cause... this is stupid.
>
> Looking more, other test things on the isolated network are also hosed. a
> test client located across the internet via just some port forwarding...
> connects fine.
>
> must stabby death cisco!
>
> -Will
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
More information about the OLUG
mailing list