Разделенный туннель и Cisco AnyConnect

14871
Nathan

Я использую Cisco AnyConnect Secure Mobility Client 3.1.02026 в 64-разрядной версии Windows 7. Я слышал, есть флажок, который позволяет разделить туннелирование. Однако этот флажок снят с графического интерфейса, вероятно, из-за настроек администратора. Администратор не хочет вносить какие-либо изменения в конфигурацию. Я хотел бы заставить разделить туннелирование. Как? Ничего страшного, если в решении используется другой VPN-клиент. Решение не может вносить какие-либо изменения на VPN-сервер. Я попробовал виртуальную машину, и она работает, но я бы хотел более удобное решение. Я попытался возиться с таблицей маршрутов, но мне не удалось, вероятно, из-за отсутствия знаний, как сделать это правильно.

Вот мой route printдо подключения к VPN.

=========================================================================== Interface List 14...00 1e 4f d7 64 5b ......Intel(R) 82566DM-2 Gigabit Network Connection 1...........................Software Loopback Interface 1 25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 27...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface ===========================================================================  IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 169.254.0.0 255.255.0.0 On-link 192.168.1.3 11 169.254.255.255 255.255.255.255 On-link 192.168.1.3 266 192.168.1.0 255.255.255.0 On-link 192.168.1.3 266 192.168.1.3 255.255.255.255 On-link 192.168.1.3 266 192.168.1.255 255.255.255.255 On-link 192.168.1.3 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.3 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.3 266 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 169.254.0.0 255.255.0.0 192.168.1.3 1 0.0.0.0 0.0.0.0 10.154.128.1 1 ===========================================================================  IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 27 58 ::/0 On-link 1 306 ::1/128 On-link 27 58 2001::/32 On-link 27 306 2001:0:5ef5:79fd:3431:3b25:b736:1859/128 On-link 14 266 fe80::/64 On-link 27 306 fe80::/64 On-link 27 306 fe80::3431:3b25:b736:1859/128 On-link 14 266 fe80::3933:bb6f:892:d161/128 On-link 1 306 ff00::/8 On-link 27 306 ff00::/8 On-link 14 266 ff00::/8 On-link =========================================================================== Persistent Routes: None

Вот мой route printпосле подключения к VPN.

=========================================================================== Interface List 19...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64 14...00 1e 4f d7 64 5b ......Intel(R) 82566DM-2 Gigabit Network Connection 1...........................Software Loopback Interface 1 25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 27...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 167...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 ===========================================================================  IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 10 0.0.0.0 0.0.0.0 10.154.128.1 10.154.159.8 2 10.154.128.0 255.255.224.0 On-link 10.154.159.8 257 10.154.159.8 255.255.255.255 On-link 10.154.159.8 257 10.154.159.255 255.255.255.255 On-link 10.154.159.8 257 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 137.254.4.91 255.255.255.255 192.168.1.1 192.168.1.3 11 169.254.0.0 255.255.0.0 On-link 10.154.159.8 306 169.254.0.0 255.255.0.0 On-link 192.168.1.3 306 169.254.255.255 255.255.255.255 On-link 10.154.159.8 257 169.254.255.255 255.255.255.255 On-link 192.168.1.3 266 192.168.1.1 255.255.255.255 On-link 192.168.1.3 11 192.168.1.3 255.255.255.255 On-link 192.168.1.3 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.3 266 224.0.0.0 240.0.0.0 On-link 10.154.159.8 257 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.3 266 255.255.255.255 255.255.255.255 On-link 10.154.159.8 257 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 169.254.0.0 255.255.0.0 192.168.1.3 1 0.0.0.0 0.0.0.0 10.154.128.1 1 ===========================================================================  IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 19 11 ::/0 On-link 1 306 ::1/128 On-link 19 266 fe80::/64 On-link 19 266 fe80::2a78:5341:7450:2bc1/128 On-link 14 266 fe80::3933:bb6f:892:d161/128 On-link 19 266 fe80::c12f:601f:cdf:4304/128 On-link 19 266 fe80::c5c3:8e03:b9dd:7df5/128 On-link 1 306 ff00::/8 On-link 14 266 ff00::/8 On-link =========================================================================== Persistent Routes: None
12
Связанный: http://superuser.com/questions/284709/how-to-allow-local-lan-access- while-connected-to-cisco-vpn Vadzim 8 лет назад 0

3 ответа на вопрос

4
ubiquibacon

First understand that the reason your network admins have disallowed split tunneling is because it potentially allows any malicious person/code to circumvent the security measures that have been implemented by accessing the network via your computer. Believe me I know not having a split tunnel is annoying, but ask your self is it worth the risk?

Now that warnings are out of the way I can tell you Cisco AnyConnect prevents a split tunnel by temporarily re-writing the routing table of the host computer. Use route print before you start AnyConnect and use it again after to see the differences. You can write a script to adjust the routing table and run it after you start AnyConnect. An easier solution that probably doesn't violate your networks usage policy is simply using a VM with AnyConnect. Your host's NIC doesn't get locked down and you don't break any rules... best of both worlds.

Cisco AnyConnect предотвращает корректировку маршрутов в Windows. Nathan 11 лет назад 4
0
Nathan

I haven't figured out how to split tunnel with Cisco AnyConnect. Here's my work around.

I tried using VPNC Front End but a generic error message prevented me from fixing the connection settings. I needed to add "Application version Cisco Systems VPN Client 4.8.01 (0640):Linux" into default.conf. Also, once the connection was established, I couldn't access anything in the remote LAN. I needed to create a batch file which added routes for the remote LAN IP addresses (e.g. route add 10.0.0.0 mask 255.0.0.0 10.85.37.1 metric 9 IF 180). The same batch file also had to configure to use the remote LAN's DNS servers first before my ISP's DNS servers (e.g. netsh interface ipv4 add dns "Local Connection 2" 42.23.24.46 index=1)

To get a more detailed error message, I followed the instructions on BMC. I had to install additional packages: Net openssl, Devel Libs openssl-devel and Interpreters perl.

0
MarkL

Although this won't help someone who's trying to get around the security placed on the ASA by an administrator, for someone who IS an ASA administrator, Cisco has this article, on setting up the ASA and Anyconnect with split tunnel access:

Configure AnyConnect Secure Mobility Client with Split Tunneling on an ASA

Похожие вопросы