cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
trissa
New Contributor

No split tunnel for mobile vpn HELP

Jump to solution

Need some help with forcing internet traffic through VPN tunnel for remote client.  I am using shrew as the remote client.  Tunnel connect and passes traffic between private networks.  Tracert show public traffic going thru tunnel but not leaving remote gateway.

Hoping someone can look at config and tell me what I am missing.

Many Thanks.

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: No split tunnel for mobile vpn HELP

Jump to solution

Troy,

Thanks for posting your question on the forum!

You will need to modify your VPN selectors for the mobile VPN policy to reflect that internet traffic destined for the mobile VPN clients will be going over the VPN tunnel. Currently your VPN selectors look like this:

ip access-list extended VPN-20-vpn-selectors3

  permit ip 192.168.100.0 0.0.0.255  192.168.203.0 0.0.0.255    log

It should look like this:

ip access-list extended VPN-20-vpn-selectors3

  permit ip any  192.168.203.0 0.0.0.255    log

You will also need to create an ACL for outbound internet traffic from the mobile client:

ip access-list extended VPN-REMOTE-INTERNET

  permit ip 192.168.203.0 0.0.0.255 any


The VPN client should also have 0.0.0.0 as its destination network so that all traffic goes over the VPN tunnel.

You will also need to modify the Public security zone to NAT the traffic coming over the VPN tunnel and going out to the internet.

no ip policy-class PUBLIC rpf-check

ip policy-class PUBLIC

  allow list VPN-20-vpn-selectors3

  nat source list VPN-REMOTE-INTERNET address <WAN IP address>

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

View solution in original post

0 Kudos
2 Replies
Anonymous
Not applicable

Re: No split tunnel for mobile vpn HELP

Jump to solution

Troy,

Thanks for posting your question on the forum!

You will need to modify your VPN selectors for the mobile VPN policy to reflect that internet traffic destined for the mobile VPN clients will be going over the VPN tunnel. Currently your VPN selectors look like this:

ip access-list extended VPN-20-vpn-selectors3

  permit ip 192.168.100.0 0.0.0.255  192.168.203.0 0.0.0.255    log

It should look like this:

ip access-list extended VPN-20-vpn-selectors3

  permit ip any  192.168.203.0 0.0.0.255    log

You will also need to create an ACL for outbound internet traffic from the mobile client:

ip access-list extended VPN-REMOTE-INTERNET

  permit ip 192.168.203.0 0.0.0.255 any


The VPN client should also have 0.0.0.0 as its destination network so that all traffic goes over the VPN tunnel.

You will also need to modify the Public security zone to NAT the traffic coming over the VPN tunnel and going out to the internet.

no ip policy-class PUBLIC rpf-check

ip policy-class PUBLIC

  allow list VPN-20-vpn-selectors3

  nat source list VPN-REMOTE-INTERNET address <WAN IP address>

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

0 Kudos
trissa
New Contributor

Re: No split tunnel for mobile vpn HELP

Jump to solution

Thanks so much!!!!!!!!!  I had al of your corrections already implemented except for "allow list VPN-20-vpn-selectors3".

I had "allow list reverse VPN-20-vpn-selectors3 stateless"  instead.  switched to your correction and everything working great.

Again Thanks, Troy