This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Split Tunneling Question

Hello AUBB

I'm running an ASG220 V8.102 and would like to make sure that my VPN connections are secure.

I have a PPTP and an L2TP/IPSec connection that were both created before I came on board.  I have recently read about MSCHAPv2 being considered to be cracked and plan to retire that connection asap.

I received a well intended suggestion about using "split tunneling" to allow remote access users to browse the web while connected to the VPN.

From what I've seen so far, "split tunneling" is a concept of SSL VPNs.

Can anyone confirm this or point me to a good, authoritative explanation of "split tunneling"?

Thank you very much.


This thread was automatically locked due to age.
Parents
  • In L2TP/IPsec and PPTP using the Microsoft client, the user selects a split tunnel by removing the check mark from 'Use deault gateway on remote network' in 'Advanced TCP/IP Settings' in the VPN Connection Properties.

    If it hasn't already been discussed, your company should consider a "Refresh" now to replace your old 220 with a new UTM 220.  There's a nice discount if it's purchased before 3/28/2013.

    Cheers - Bob
    PS If you have an Active Directory, the SSL VPN offers some benefits over L2TP/IPsec.  If you want to evaluate it, be sure to change the protocol from TCP to UDP on the 'Settings' tab before you start distributing the clients.  Also, pay attention to Barry's warning about too many users for your 220.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, i have the same question regarding split tunneling on L2TP VPN using Microsoft vpn client.

    If i uncheck  'Use deault gateway on remote network' in 'Advanced TCP/IP Settings' in the VPN Connection Properties, then i have in my local routing table a default route using the local lan interface of my home router, and thus i cannot reach the remote encryption domain of the VPN.

    If i leave 'Use deault gateway on remote network' in 'Advanced TCP/IP Settings' in the VPN Connection Properties checked, then i can see in the routing table of my PC 2 default routes: one using the L2TP local interface and one using the LAN interface of my router; the difference is that the one using the l2tp interface has a lower metric, thus it is preffered and all the traffic is routed through it.

    So as far as i can see, it is either i have a full VPN tunnel, either i don't have a tunnel at all. Is there any chance to configure a split tunnel on the l2tp vpn setup?

     

    Thanks

  • Perhaps you could copy and paste the lines you see that you are talking about.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Default setting:

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.102 4260
    0.0.0.0 0.0.0.0 On-link 3.3.3.2 36
    3.3.3.2 255.255.255.255 On-link 3.3.3.2 291

     

    THe option "use default gateway..." unchecked:

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.102 35
    3.0.0.0 255.0.0.0 3.3.3.1 3.3.3.2 36
    3.3.3.2 255.255.255.255 On-link 3.3.3.2 291

     

    192.168.0.1 - local router lan gateway

    3.3.3.2 - local L2TP vpn interface

  • 3.0.0.0 255.0.0.0 3.3.3.1 3.3.3.2 36

    That's weird - what's going on inside your PC?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That s what i am trying also to understand here;and this ia not a pc issue. That route is pushed by the sophos. The L2PT pool defined on sophos is 3.3.3.0/24 and somehow it changes the mask. Nevertheless,with or without the corect mask,that route is still strange. What would have been the normal outcome unchecking the “use default gateway...”? What route should i have had seen there, because i see that all l2tp does ia to inject a default route with a better metric.

  • Not sure why you wouldn't just use the default subnets that the UTM has pre-configured.  In any case, you haven't configured 3.3.3.0/24, you've configured 3.0.0.0/8.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, that is not right. I am using 3.3.3.0/24. Please check the the file 3.3.3.0.jpg bellow.

     

    Nevertheless, i followed your advice in using the default L2TP pool:

     

    The result is exactly the same. Please check bellow the routing table on the client PC:

     

    Default setting "use default gateway on remote network" checked:

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.102 4260
    0.0.0.0 0.0.0.0 On-link 10.242.3.2 36

     

    Default setting "use default gateway on remote network" unchecked:

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.102 35
    10.0.0.0 255.0.0.0 10.242.3.1 10.242.3.2 36

     

    Still summarizes to /8 and my subnets behind the firewall are inexistent here.

    Do you see what i mean?

  • I don't have a way to reproduce this until next week, but I never use L2TP for any of my clients since the SSL VPN is so flexible.  Maybe someone else has some input on this issue.

    FWIW, 3.0.0.0/9 and 3.128.0.0/10 are Amazon IPs.  3.192.0.0/10 belongs to General Electric.  Just curious, what benefit do you expect from using the 3. subnet for L2TP?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I expect the benefit to work as it should. And as i said, it is 3.3.3.0/24, not 3.  Sophos makes it 3. instead of how it defined it, exactly as it does with the default L2TP 10.254.3.0/24

    The 3.3.3.0/24 subnet is not mandatory for me; i can change it to whatever subnet, but the point different.

    For avoiding confusion we can stick to the default pool 10.254.3.0/24

  • I just confirmed that I also get 10.0.0.0/8 and that that causes me no problems.  Fortunately, that entire subnet is reserved for private use.  I'm not sure why that's done.  The SSL VPN remote access connection is only a /24.  Anyway, another good reason to not change the default VPN pools.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I just confirmed that I also get 10.0.0.0/8 and that that causes me no problems.  Fortunately, that entire subnet is reserved for private use.  I'm not sure why that's done.  The SSL VPN remote access connection is only a /24.  Anyway, another good reason to not change the default VPN pools.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children