Od kilku dni próbuję skonfigurować split tunneling na 1841. Niestety, po zestawieniu połączenia tracę dostęp do Internetu i sieci lokalnej. O ile dobrze zrozumiałem dokumentację to split tunneling i include-local-lan wykluczają się wzajemnie. Przy tej drugiej opcji wszystko co idzie poza moją lokalną sieć pójdzie tunelem. Chcę osiągnąć coś takiego:
- dostęp do lokalizacji zdalnej przez VPN
- dostęp do Intenetu przez lokalną bramą
- dostęp do urządzeń i zasobów w sieci lokalnej
Poniżej konfiguracja:
Kod: Zaznacz cały
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1_XXX
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network Biuro_RVPN local
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool 192.168.1.0/24
network 192.168.1.0 255.255.255.0
dns-server 194.204.159.1 194.204.152.34
default-router 192.168.1.1
!
!
ip cef
no ip domain lookup
ip domain name xxxx.pl
ntp server 212.244.36.227
ntp server 212.244.36.228
ntp server 131.107.13.100
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3511780168
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3511780168
revocation-check none
rsakeypair TP-self-signed-3511780168
!
!
crypto pki certificate chain TP-self-signed-3511780168
certificate self-signed 01
xxxxx
quit
!
!
username Serwis password 7 xxxx
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RVPN_GROUP
key xxxx
pool RVPN_POOL
acl RVPN_ACL
max-users 30
max-logins 1
netmask 255.255.255.0
crypto isakmp profile RVPN_IKE_Profile
match identity group RVPN_GROUP
client authentication list default
isakmp authorization list Biuro_RVPN
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile RVPN_Profile
set transform-set ESP-3DES-SHA
set reverse-route tag 1
set isakmp-profile RVPN_IKE_Profile
!
!
crypto ctcp port 10000
!
!
ip ssh logging events
!
!
!
interface Loopback0
ip address 192.168.11.1 255.255.255.224
!
interface FastEthernet0/0
description WAN
ip address 83.12.xx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile RVPN_Profile
!
ip local pool RVPN_POOL 192.168.11.2 192.168.11.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 83.12.167.49
no ip http server
ip http secure-server
!
!
ip nat inside source list NAT_ACL interface FastEthernet0/0 overload
!
ip access-list extended NAT_ACL
deny ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended RVPN_ACL
remark Lista do Remote VPN
permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 5 0
password 7 xxxx
line aux 0
exec-timeout 0 1
no exec
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
end
Kod: Zaznacz cały
#sh crypto session det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Virtual-Access2
Username: serwis
Profile: RVPN_IKE_Profile
Group: RVPN_GROUP
Assigned address: 192.168.11.26
Uptime: 00:00:14
Session status: UP-ACTIVE
Peer: 83.9.169.11 port 19699 fvrf: (none) ivrf: (none)
Phase1_id: RVPN_GROUP
Desc: (none)
IKE SA: local 83.12.xx.xx/4500 remote 83.9.xx.xx/19699 Active
Capabilities:CXN connid:1026 lifetime:23:59:39
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.11.26
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4572157/3585
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4572157/3585