2 Replies Latest reply on Apr 7, 2015 7:43 AM by trissa

    No split tunnel for mobile vpn HELP

    trissa New Member

      Need some help with forcing internet traffic through VPN tunnel for remote client.  I am using shrew as the remote client.  Tunnel connect and passes traffic between private networks.  Tracert show public traffic going thru tunnel but not leaving remote gateway.

      Hoping someone can look at config and tell me what I am missing.

       

      Many Thanks.

        • Re: No split tunnel for mobile vpn HELP
          Employee

          Troy,

           

          Thanks for posting your question on the forum!

           

          You will need to modify your VPN selectors for the mobile VPN policy to reflect that internet traffic destined for the mobile VPN clients will be going over the VPN tunnel. Currently your VPN selectors look like this:

           

          ip access-list extended VPN-20-vpn-selectors3

            permit ip 192.168.100.0 0.0.0.255  192.168.203.0 0.0.0.255    log

           

          It should look like this:

           

          ip access-list extended VPN-20-vpn-selectors3

            permit ip any  192.168.203.0 0.0.0.255    log

           

          You will also need to create an ACL for outbound internet traffic from the mobile client:

           

          ip access-list extended VPN-REMOTE-INTERNET

            permit ip 192.168.203.0 0.0.0.255 any


          The VPN client should also have 0.0.0.0 as its destination network so that all traffic goes over the VPN tunnel.

           

          You will also need to modify the Public security zone to NAT the traffic coming over the VPN tunnel and going out to the internet.

           

          no ip policy-class PUBLIC rpf-check

          ip policy-class PUBLIC

            allow list VPN-20-vpn-selectors3

            nat source list VPN-REMOTE-INTERNET address <WAN IP address>

           

          Please do not hesitate to let us know if you have any questions.

           

          Thanks,

          Noor

          • Re: No split tunnel for mobile vpn HELP
            trissa New Member

            Thanks so much!!!!!!!!!  I had al of your corrections already implemented except for "allow list VPN-20-vpn-selectors3".

            I had "allow list reverse VPN-20-vpn-selectors3 stateless"  instead.  switched to your correction and everything working great.

             

            Again Thanks, Troy