This document provides step-by-step instructions on how to allow VPN
Clients access to the Internet while they are tunneled into a VPN 3000 Series
Concentrator. This configuration allows VPN Clients secure access to corporate
resources via IPsec while giving unsecured access to the Internet.
Note: Split tunneling can potentially pose a security risk when configured.
Because VPN Clients have unsecured access to the Internet, they can be
compromised by an attacker. That attacker might then be able to access the
corporate LAN via the IPsec tunnel. A compromise between full tunneling and
split tunneling can be to allow VPN Clients local LAN access only. Refer to
Allow Local LAN Access for VPN
Clients on the VPN 3000 Concentrator Configuration Example for more
This document assumes that a working remote access VPN configuration
already exists on the VPN Concentrator. Refer to
with VPN Client to VPN 3000 Concentrator Configuration Example if one is
not already configured.
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
The VPN Client is located on a typical SOHO network and connects across
the Internet to the main office.
Refer to the
Technical Tips Conventions for more information on document
In a basic VPN Client to VPN Concentrator scenario, all traffic from
the VPN Client is encrypted and sent to the VPN Concentrator no matter what the
destination. Based on your configuration and the number of users supported,
such a setup can become bandwidth intensive. Split tunneling can work to
alleviate this problem by allowing users to send only that traffic which is
destined for the corporate network across the tunnel. All other traffic such as
IM, email, or casual browsing is sent out to the Internet via the local LAN of
the VPN Client.
Complete these steps in order to configure your tunnel group to allow
split tunneling for users in the group. First create a Network List. This list
defines the destination networks to which the VPN Client sends encrypted
traffic. Once the list is created, add the list to the split tunneling policy
of the client tunnel group.
Choose Configuration > Policy Management > Traffic
Management > Network Lists and click Add.
This list defines the destination networks to which the VPN Client
sends encrypted traffic. Either enter these networks manually, or click
Generate Local List in order to create a list based on routing
entries on the private interface of the VPN Concentrator.
In this example, the list was created
Once it is created or populated, provide a name for the list and
Once you create the network list, assign it to a tunnel group.
Choose Configuration > User Management > Groups, select
the group you wish to change, and click Modify
Go to the Client Config tab of the group that you have chosen to
Scroll down to the Split Tunneling Policy and Split Tunneling
Network List sections and click Only tunnel networks in the
Choose the list created earlier from the drop-down. In this case it
is Main Office. The Inherit? checkboxes are automatically
emptied in both cases.
Click Apply when you are
Connect your VPN Client to the VPN Concentrator in order to verify your
Choose your connection entry from the list and click
Enter your credentials.
Choose Status > Statistics... in order to
display the Tunnel Details window where you can inspect the particulars of the
tunnel and see traffic flowing.
Go to the Route Details tab in order to see which networks the VPN
Client sends encrypted traffic to. In this example, the VPN Client communicates
securely with 10.0.1.0/24 while all other traffic is sent unencrypted to the
When you examine the VPN Client log, you can determine whether or not
the parameter that allows split tunneling is set. Go to the Log tab in the VPN
Client in order to view the log. Click Log Settings in order
to adjust what is logged. In this example, IKE and IPsec are set to 3-
High while all other log elements are set to 1 -
Cisco Systems VPN Client Version 4.0.5 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
1 14:21:43.106 07/21/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 172.22.1.106.
!--- Output is supressed.
28 14:21:55.151 07/21/06 Sev=Info/5 IKE/0x6300005D
Client sending a firewall request to concentrator
29 14:21:55.151 07/21/06 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Systems Integrated Client,
Capability= (Centralized Protection Policy).
30 14:21:55.151 07/21/06 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Intrusion Prevention Security Agent,
Capability= (Are you There?).
31 14:21:55.171 07/21/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 172.22.1.106
32 14:21:56.114 07/21/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 172.22.1.106
33 14:21:56.114 07/21/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 172.22.1.106
34 14:21:56.114 07/21/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.0.1.50
35 14:21:56.114 07/21/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
36 14:21:56.114 07/21/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
!--- Split tunneling is configured.
37 14:21:56.114 07/21/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets),
value = 0x00000001
38 14:21:56.114 07/21/06 Sev=Info/5 IKE/0x6300000F
subnet = 10.0.1.0
mask = 255.255.255.0
protocol = 0
src port = 0
39 14:21:56.124 07/21/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
40 14:21:56.124 07/21/06 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems,
Inc./VPN 3000 Concentrator Version 4.7.2.H built by vmurphy on Jun 29 2006 20:21:56
41 14:21:56.124 07/21/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
!--- Output is supressed.
with VPN Client to VPN 3000 Concentrator Configuration Example -
Troubleshooting for general information on troubleshooting this