[vpn] Local LAN access with Cisco VPN-Client for Linux
Dave_Rypma at manulife.com
Dave_Rypma at manulife.com
Thu Apr 25 09:02:28 EDT 2002
Many implementations of Cisco VPN's (and any others for that matter) are
set up to deny split tunnelling (being able to access both the local
network and the remote VPN-connected network at the same time). The control
is at the Cisco 3000 Concentrator end and cannot normally be changed by the
client. The reason for this restriction is to prevent your local network
from being a path into the remote networ. Most network administrators would
like to control connections to their network and if you were to turn on IP
forwarding on your Linux box, there would be an uncontrolled "back door"
into the remote network. I know it's a pain when you have printer and other
resources on your local network, but this restriction is a necessity for
security.
---------------------------------------+------------------------------
Dave Rypma, CISSP/SSCP Sr Tech Advisor | "Quis custodiet ipsos
Manulife Information Security Office | custodies?" (Who will
Del'y Stn KC-10, PO Box 800 Stn C | guard the guards?)
Kitchener, ON, N2G 4Y5 | -- Juvenal, Roman satirist
(519) 747-7000 x38610, Fax: 747-6974 | c.65 - c.127 A.D.
Dave_Rypma at manulife.com
To: vpn at securityfocus.com
Dirk Wagner cc:
<Wagner.Dirk-Mich Subject: [vpn] Local LAN access with Cisco VPN-Client for Linux
ael at web.de>
Sent by:
Wagner.Dirk-Micha
el at web.de
2002-04-24 10:52
Hi,
i have some trouble with accessing my local network when a connection to
a Cisco VPN Concentrator ist established.
Involved machines:
1) Linux box as local network server (SuSE 7.0, Kernel 2.2.16)
with running Cisco VPN Client 3.5.1 for Linux
first ethernet card (eth0) with IP 10.73.200.10
second card (eth1) with IP 192.168.1.1
2) Cisco VPN 3000 Concertrator, IP 10.73.10.100,
local LAN access enabled, network 'locallan'
defined: 192.168.1.0/0.0.0.255
There is no problem to ping a box in the 10.x.x.x or in the 192.168.1.0
net, if there is no connection to the vpn server.
But, as soon as the connection to the vpn server ist established, no
access to the workstations in the 192.168.1.0 net is possibel (e.g.
ping). Only possible is to ping the same machine on 192.168.1.1.
split tunnel mode is enabled by the client:
EnableLocalLAN=1
EnableNAT=0
(not needed?)
the command 'vpnclient stat' reports that there ist a local network
under 'configured routes' which is not secured. Thats ok.
But what's wrong? Is it a configuration issue in the pcf-file?
[main]
Description=VPN Test
Host=10.73.10.100
AuthType=1
GroupName=locallan
GroupPwd=local
enc_GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=
SaveUserPassword=1
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=0
BackupServer=
EnableMSLogon=0
MSLogonType=1
EnableNat=0
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0
PeerTimeout=0
EnableLocalLAN=1
Any hints? It's very important to access the local network while a vpn
connection ist established.
thx
Dirk
--
Dirk-Michael Wagner *** Wagner.Dirk-Michael at web.de
Open Minds. Open Sources. Open Future. - Linux!
VPN is sponsored by SecurityFocus.com
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list