PDA

View Full Version : Cisco VPN acting weeeeeeeeeeird




n8236
Apr 24, 2008, 02:53 AM
So I started using the Cisco VPN Client (version 4.9.01 (100)) and there is ONE client that when I'm connected to them, I lose web surfing and ping capability in Terminal. I won't be able to ping anything, no gateway, no nothing. When I connect to other clients on my list, it works fine.

So I tried this in Windows and voila, that ONE client works! But that's besides the point.

Does anyone have any clues?!



operator207
Apr 24, 2008, 09:13 AM
So I started using the Cisco VPN Client (version 4.9.01 (100)) and there is ONE client that when I'm connected to them, I lose web surfing and ping capability in Terminal. I won't be able to ping anything, no gateway, no nothing. When I connect to other clients on my list, it works fine.

So I tried this in Windows and voila, that ONE client works! But that's besides the point.

Does anyone have any clues?!

Actually its not besides the point, its a really good clue. Check the settings on both OSes. Compare the two. Maybe there is a difference. Do you run anything that could manually edit the firewall? Maybe you did something that breaks it at the firewall.

Maybe that site hates your MAC address.

I am just guessing, as I do not have much information to go on.

Did you play with/add files in /etc/ppp ?

What does the console say when you attempt to connect?

n8236
Apr 24, 2008, 04:10 PM
Actually its not besides the point, its a really good clue. Check the settings on both OSes. Compare the two. Maybe there is a difference. Do you run anything that could manually edit the firewall? Maybe you did something that breaks it at the firewall.

Maybe that site hates your MAC address.

I am just guessing, as I do not have much information to go on.

Did you play with/add files in /etc/ppp ?

What does the console say when you attempt to connect?

I chcked both OSs and I don't see any differences. I had the OSX one working before, it just decided to stop working one day. I also tried re-installing the osx client.

Firewall for OSX and XP is off.

n8236
Apr 25, 2008, 12:50 AM
Here is the code when connected to that funky vpn connection which doesn't allow web surfing:



lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:16:cb:9b:37:b8
media: autoselect status: inactive
supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> none

fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 2030
lladdr 00:17:f2:ff:fe:77:5a:d6
media: autoselect <full-duplex> status: inactive
supported media: autoselect <full-duplex>

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1356
inet 192.168.1.47 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::216:cbff:fe07:a8c1%en1 prefixlen 64 scopeid 0x6
ether 00:16:cb:07:a8:c1
media: autoselect status: active
supported media: autoselect

vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.135.1 netmask 0xffffff00 broadcast 172.16.135.255
ether 00:50:56:c0:00:08

vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.208.1 netmask 0xffffff00 broadcast 172.16.208.255
ether 00:50:56:c0:00:01

tun0: flags=8850<POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
closed

tap0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 74:61:70:00:00:00
closed

en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::21c:42ff:fe00:0%en2 prefixlen 64 scopeid 0xb
ether 00:1c:42:00:00:00
media: autoselect status: active
supported media: autoselect

en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::21c:42ff:fe00:1%en3 prefixlen 64 scopeid 0xc
ether 00:1c:42:00:00:01
media: autoselect status: active
supported media: autoselect


Can anyone decode what this means?

operator207
Apr 25, 2008, 10:57 AM
Here is the code when connected to that funky vpn connection which doesn't allow web surfing:


Can anyone decode what this means?

Thats not code, thats an output of ifconfig -a

Open your console (/applications/utilities/console.app)
There should be an entry for ppp somewhere.

See what the last entry is, try to connect to your VPN, and see if it adds logs there. if so, copy and paste them here. Maybe its erring out and will report it there. I have never used the Cisco VPN client, so it may not use ppp.log for its logging. If it does not, your gonna need to find out where it logs things, and post that here instead.

I found this: http://www.kombitz.com/2007/08/21/cisco-vpn-client-problem-on-mac-os-x/

Maybe thats your problem there.

Also you posted

tun0: flags=8850<POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
closed

tap0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 74:61:70:00:00:00
closed


Those should be the vpn tunnel. They are closed.

We need the logs from the console.

n8236
Apr 25, 2008, 02:00 PM
Here's what the Cisco log says.

Cisco Systems VPN Client Version 4.9.01 (0100)
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Mac OS X
Running on: Darwin 9.2.2 Darwin Kernel Version 9.2.2: Tue Mar 4 21:17:34 PST 2008; root:xnu-1228.4.31~1/RELEASE_I386 i386

195 16:52:01.725 04/25/2008 Sev=Info/4 CM/0x43100002
Begin connection process

196 16:52:01.725 04/25/2008 Sev=Warning/2 CVPND/0x83400011
Error -28 sending packet. Dst Addr: 0xAC1087FF, Src Addr: 0xAC108701 (DRVIFACE:1158).

197 16:52:01.726 04/25/2008 Sev=Warning/2 CVPND/0x83400011
Error -28 sending packet. Dst Addr: 0xAC10D0FF, Src Addr: 0xAC10D001 (DRVIFACE:1158).

198 16:52:01.726 04/25/2008 Sev=Info/4 CM/0x43100004
Establish secure connection using Ethernet

199 16:52:01.727 04/25/2008 Sev=Info/4 CM/0x43100024
Attempt connection with server "vpn.spgsolar.com"

200 16:52:01.732 04/25/2008 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (500).

201 16:52:01.735 04/25/2008 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (4500).

202 16:52:01.735 04/25/2008 Sev=Info/6 IKE/0x4300003B
Attempting to establish a connection with 12.26.39.2.

203 16:52:01.837 04/25/2008 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 12.26.39.2

204 16:52:01.973 04/25/2008 Sev=Info/4 IPSEC/0x43700008
IPSec driver successfully started

205 16:52:01.973 04/25/2008 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

206 16:52:01.973 04/25/2008 Sev=Info/4 IPSEC/0x4370000D
Key(s) deleted by Interface (192.168.0.135)

207 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 12.26.39.2

208 16:52:01.979 04/25/2008 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 12.26.39.2

209 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x43000001
Peer supports XAUTH

210 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x43000001
Peer supports DPD

211 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x43000001
Peer is a Cisco-Unity compliant peer

212 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x43000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5

213 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x43000001
Peer supports NAT-T

214 16:52:02.101 04/25/2008 Sev=Info/6 IKE/0x43000001
IOS Vendor ID Contruction successful

215 16:52:02.101 04/25/2008 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 12.26.39.2

216 16:52:02.102 04/25/2008 Sev=Info/6 IKE/0x43000055
Sent a keepalive on the IPSec SA

217 16:52:02.102 04/25/2008 Sev=Info/4 IKE/0x43000083
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

218 16:52:02.102 04/25/2008 Sev=Info/5 IKE/0x43000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device

219 16:52:02.102 04/25/2008 Sev=Info/4 CM/0x4310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

220 16:52:02.102 04/25/2008 Sev=Info/4 CM/0x4310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

221 16:52:02.103 04/25/2008 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 12.26.39.2

222 16:52:02.124 04/25/2008 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 12.26.39.2

223 16:52:02.124 04/25/2008 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 12.26.39.2

224 16:52:02.125 04/25/2008 Sev=Info/5 IKE/0x43000045
RESPONDER-LIFETIME notify has value of 86400 seconds

225 16:52:02.125 04/25/2008 Sev=Info/5 IKE/0x43000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

226 16:52:02.134 04/25/2008 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 12.26.39.2

227 16:52:02.134 04/25/2008 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 12.26.39.2

228 16:52:02.134 04/25/2008 Sev=Info/5 IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.10.209

229 16:52:02.134 04/25/2008 Sev=Info/5 IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.1.11

230 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 192.168.1.12

231 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 192.168.1.11

232 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(2) (a.k.a. WINS) : , value = 192.168.1.12

233 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x4300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = sp

234 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

235 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x4300000F
SPLIT_NET #1
subnet = 192.168.1.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0

236 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

237 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

238 16:52:02.135 04/25/2008 Sev=Info/4 CM/0x43100019
Mode Config data received

239 16:52:02.139 04/25/2008 Sev=Info/4 IKE/0x43000056
Received a key request from Driver: Local IP = 192.168.1.47, GW IP = 12.26.39.2, Remote IP = 0.0.0.0

240 16:52:02.139 04/25/2008 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 12.26.39.2

241 16:52:02.167 04/25/2008 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 12.26.39.2

242 16:52:02.167 04/25/2008 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 12.26.39.2

243 16:52:02.167 04/25/2008 Sev=Info/5 IKE/0x43000045
RESPONDER-LIFETIME notify has value of 28800 seconds

244 16:52:02.167 04/25/2008 Sev=Info/5 IKE/0x43000046
RESPONDER-LIFETIME notify has value of 4608000 kb

245 16:52:02.167 04/25/2008 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK QM *(HASH) to 12.26.39.2

246 16:52:02.168 04/25/2008 Sev=Info/5 IKE/0x43000059
Loading IPsec SA (MsgID=CFD4212C OUTBOUND SPI = 0x6526F06B INBOUND SPI = 0x12BDD98F)

247 16:52:02.168 04/25/2008 Sev=Info/5 IKE/0x43000025
Loaded OUTBOUND ESP SPI: 0x6526F06B

248 16:52:02.168 04/25/2008 Sev=Info/5 IKE/0x43000026
Loaded INBOUND ESP SPI: 0x12BDD98F

249 16:52:02.168 04/25/2008 Sev=Info/4 CM/0x4310001A
One secure connection established

250 16:52:02.168 04/25/2008 Sev=Info/4 CVPND/0x4340001E
Privilege Separation: reducing MTU on primary interface.

251 16:52:02.174 04/25/2008 Sev=Info/4 CVPND/0x4340001B
Privilege Separation: backing up resolv.conf file.

252 16:52:02.175 04/25/2008 Sev=Info/4 CVPND/0x4340001D
Privilege Separation: chown( /var/run/resolv.conf.vpnbackup, uid=0, gid=1 ).

253 16:52:02.176 04/25/2008 Sev=Info/4 CVPND/0x43400018
Privilege Separation: opening file: (/var/run/resolv.conf).

254 16:52:02.192 04/25/2008 Sev=Info/4 CM/0x4310003B
Address watch added for 192.168.1.47. Current hostname: eddie-liangs-macbook-pro-15.local, Current address(es): 192.168.1.47, 172.16.135.1, 172.16.208.1.

255 16:52:02.760 04/25/2008 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

256 16:52:02.760 04/25/2008 Sev=Info/4 IPSEC/0x43700010
Created a new key structure

257 16:52:02.760 04/25/2008 Sev=Info/4 IPSEC/0x4370000F
Added key with SPI=0x6bf02665 into key list

258 16:52:02.760 04/25/2008 Sev=Info/4 IPSEC/0x43700010
Created a new key structure

259 16:52:02.761 04/25/2008 Sev=Info/4 IPSEC/0x4370000F
Added key with SPI=0x8fd9bd12 into key list

260 16:52:12.474 04/25/2008 Sev=Info/6 IKE/0x43000055
Sent a keepalive on the IPSec SA

261 16:52:22.474 04/25/2008 Sev=Info/6 IKE/0x43000055
Sent a keepalive on the IPSec SA

262 16:52:32.474 04/25/2008 Sev=Info/6 IKE/0x43000055
Sent a keepalive on the IPSec SA

263 16:52:42.474 04/25/2008 Sev=Info/6 IKE/0x43000055
Sent a keepalive on the IPSec SA

264 16:52:48.533 04/25/2008 Sev=Info/4 CM/0x4310000A
Secure connections terminated

265 16:52:48.533 04/25/2008 Sev=Info/4 IKE/0x43000001
IKE received signal to terminate VPN connection

266 16:52:48.533 04/25/2008 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 12.26.39.2

267 16:52:48.534 04/25/2008 Sev=Info/5 IKE/0x43000018
Deleting IPsec SA: (OUTBOUND SPI = 6526F06B INBOUND SPI = 12BDD98F)

268 16:52:48.534 04/25/2008 Sev=Info/4 IKE/0x43000049
Discarding IPsec SA negotiation, MsgID=CFD4212C

269 16:52:48.534 04/25/2008 Sev=Info/4 IKE/0x43000017
Marking IKE SA for deletion (I_Cookie=866216F65FF0571E R_Cookie=98FE3D252BB92390) reason = DEL_REASON_RESET_SADB

270 16:52:48.534 04/25/2008 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 12.26.39.2

271 16:52:48.534 04/25/2008 Sev=Info/4 IKE/0x4300004B
Discarding IKE SA negotiation (I_Cookie=866216F65FF0571E R_Cookie=98FE3D252BB92390) reason = DEL_REASON_RESET_SADB

272 16:52:48.535 04/25/2008 Sev=Info/4 CM/0x43100013
Phase 1 SA deleted cause by DEL_REASON_RESET_SADB. 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

273 16:52:48.535 04/25/2008 Sev=Info/4 CVPND/0x4340001C
Privilege Separation: restoring resolv.conf file.

274 16:52:48.535 04/25/2008 Sev=Info/4 CVPND/0x4340001D
Privilege Separation: chown( /var/run/resolv.conf, uid=0, gid=1 ).

275 16:52:48.537 04/25/2008 Sev=Info/5 CM/0x43100025
Initializing CVPNDrv

276 16:52:48.539 04/25/2008 Sev=Info/6 CM/0x43100031
Tunnel to headend device vpn.spgsolar.com disconnected: duration: 0 days 0:0:46

277 16:52:48.539 04/25/2008 Sev=Info/4 CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.

278 16:52:53.540 04/25/2008 Sev=Warning/2 CVPND/0xC3400018
Privilege Separation: root operation failed.

279 16:52:53.541 04/25/2008 Sev=Info/5 CM/0x43100025
Initializing CVPNDrv

280 16:52:53.541 04/25/2008 Sev=Info/4 CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.

281 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x43700013
Delete internal key with SPI=0x8fd9bd12

282 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x4370000C
Key deleted by SPI 0x8fd9bd12

283 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x43700013
Delete internal key with SPI=0x6bf02665

284 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x4370000C
Key deleted by SPI 0x6bf02665

285 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x43700010
Created a new key structure

286 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x4370000B
Key requested

287 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x43700013
Delete internal key with SPI=0x00000000

288 16:52:53.543 04/25/2008 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

289 16:52:53.543 04/25/2008 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

290 16:52:53.543 04/25/2008 Sev=Info/4 IPSEC/0x4370000A
IPSec driver successfully stopped

291 16:52:53.543 04/25/2008 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

292 16:52:53.543 04/25/2008 Sev=Warning/2 IKE/0x83000067
Received an IPC message during invalid state (IKE_MAIN:507)

n8236
Apr 25, 2008, 07:10 PM
Nothing shows up in the PPP log.

operator207
Apr 27, 2008, 06:28 PM
What is the IP range of the local network, and the IP range of the remote VPNed network.

It looks like they are both using the same subnet, which would not work unless your default route would be out the VPN, but then the internal network would not work.

Remember a VPN connection is much like a virtual network interface to a remote location (there is more to it though, such as encryption). It gives you access to the remote location's IP range/internal network. If your IP range and the IP range of the remote network, are the same, and the internal network has precedence, you will never see the VPNed network.

I guess what I am saying, is your getting connected fine, but since your on the same subnet as the remote location, you will never see anything.

n8236
Apr 28, 2008, 05:46 PM
What is the IP range of the local network, and the IP range of the remote VPNed network.

It looks like they are both using the same subnet, which would not work unless your default route would be out the VPN, but then the internal network would not work.

Remember a VPN connection is much like a virtual network interface to a remote location (there is more to it though, such as encryption). It gives you access to the remote location's IP range/internal network. If your IP range and the IP range of the remote network, are the same, and the internal network has precedence, you will never see the VPNed network.

I guess what I am saying, is your getting connected fine, but since your on the same subnet as the remote location, you will never see anything.

I think I may understand where you are coming from. You're suggesting that my IP range shouldn't be the same as that of the VPN? (like the example below?)

My home gateway being 192.168.1.1 while my IP is 192.168.1.2
My VPN's gateway being 192.168.1.1 while my IP on the vpn is 192.168.1.x

You are correct, the IP range of the vpn network and my home one is one of the same.

Is this what's causing my problem? And that I should change my home gateway to something other than that of the vpn network? I'm going to test that.

operator207
Apr 28, 2008, 07:07 PM
I think I may understand where you are coming from. You're suggesting that my IP range shouldn't be the same as that of the VPN? (like the example below?)

My home gateway being 192.168.1.1 while my IP is 192.168.1.2
My VPN's gateway being 192.168.1.1 while my IP on the vpn is 192.168.1.x

You are correct, the IP range of the vpn network and my home one is one of the same.

Is this what's causing my problem? And that I should change my home gateway to something other than that of the vpn network? I'm going to test that.

Yes. In your current setup, you machine has 2 interfaces, on the same ip range. It does not know to send the VPN packets over the VPN interface.
Change your ip range on your local network to another range (192.168.55.x) or something like that.

n8236
Apr 28, 2008, 08:41 PM
Yes. In your current setup, you machine has 2 interfaces, on the same ip range. It does not know to send the VPN packets over the VPN interface.
Change your ip range on your local network to another range (192.168.55.x) or something like that.

Brilliant, it worked! God, and I work in IT too! :D lol

I wonder why it worked before and then suddenly stopped working, how strange.

Here's a question. I see this as a temporary fix because, technically speaking, my machine is able to distinguish which interface is which and use my gateway to access the internet when connected via vpn.

Say (in an extreme case) I have 255 vpn connections using up the whole range of IPs (192.168.1.x to 192.168.255.x), how will I then remedy this? Change my subnet and use a different range of IPs?

God.......i can't believe I didn't think of this solution! I even posted on Experts-Exchange w/ 500 point and no one answered hehehe.

operator207
Apr 28, 2008, 10:31 PM
It possibly worked before because the OS was putting the VPN before the other interface. I deal with alot of VPN connections, in this job and my last. I am not surprised about the "experts-exchange" site. There is a ton of good info put up there before it went completely pay, or whatever it is now. But now that its restricted from anonymous use, it seems to have gone down hill in decent responses.

Just be glad you don't have to support vista in a medical Corp environment. Ya sure the pay is great, but the clients act like they are 10 years old. Seriously, you get a MD, and you become 10.

Back on topislc, good to hear it works now.

Supp0rtLinux
Aug 9, 2008, 11:43 AM
I have the same problem described in this thread, but the solution didn't work. In my case, I have a MBP (10.5.4) with the latest Cisco VPN client installed. I have two connections... one to our Florida office, one to our California office. If I connect to the CA connection, all works fine... I can hit servers on the remote network, yet still browse my local LAN and resources without issue. But when I hit the FL VPN, I can only reach remote hosts and I suddenly become unable to browse local shares and my internet access gets bogged down as it routes through the VPN conn for everything.

At home, I'm using an AE in the 10.0.0.0 range. I know the FL conn is running in 10.1.1.0 (and FWIW, I know the CA conn uses 192.168), but since the netmasks are the same for my home 10.1.1.0 range and the FL 10.0.0.0 range, for the sake of it I re-IP'd my home LAN over to 172.16 (most home routers default to NAT and either 192.168 or 10.0.0.0, so I figured 172.16 was safe).

But moving to 172.16 didn't fix it for me. I even tried with it set to 172.16.254.0. I've compared both client configs and with the exception of the remote host they authenticate to, they are identical. In the Windows world with an MS VPN server, I know how to resolve this (there's an Advanced option under TCP/IP that says "use default gateway on remote network" that needs to be unchecked. I'm lost as to how to implement something similar in OS X... at least with the Cisco client.

Any thoughts would be much appreciated...

Queso
Aug 9, 2008, 11:55 AM
Sounds to me that the VPN Concentrator/ASA device in your FL office doesn't have split-tunnelling enabled in the policy delivered to clients in the VPN set up, but the one in CA does. Contact the sysadmin.

Supp0rtLinux
Aug 12, 2008, 08:37 AM
Thanks... I escalated to our network admin and he fixed it and here's what he had to say:

I applied the correct access list to the split tunneling command. Basically told the VPN to route 10.1.1.0/16 to 10.1.16.0/23 to the tunnel and the rest goes out to the internet.