I may be misunderstanding you, but why do you have to use names within your certs to activate your split tunnel? Why can't you define the group and create a split tunnel ACL within it on both ends to serve as the basis for split-tunneling?

access-list nonat permit ip <local ip><local sub> <remote ip><remote sub>

isakmp policy 5 authentication rsa
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400

vpngroup mygroup address-pool myaddresspool
vpngroup mygroup dns-server X.X.X.X
vpngroup mygroup wins-server X.X.X.X
vpngroup mygroup split-tunnel nonat
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********

Or are you using an EasyVPN client/server setup?

Aaron
----- Original Message -----
From: Conlan Adams
To: firewalls (at) securityfocus (dot) com [email concealed]
Sent: Friday, June 09, 2006 10:12 AM
Subject: PIX to PIX Certificate VPN question

Stupid question that I am having a heck of a time finding an answer for when I search the web.

I have a remote access setup, where I have a PIX 515E inhouse, and several 501s outhouse. All of them have validated certs, but I am having issues with my split-tunnel implementation.

After much digging, I seem to have found that the split tunnel isn't propagating the ACLs because the vpngroup isn't being set properly on the 501s. They are connecting, and authenticating properly, and all traffic is sent over, but since the split-tunnel has to be assigned by name, its not carrying over.

The PIXs are connecting fine, and passing traffic, just not running the split-tunnel.

Any thoughts on how I set the vpngroup on the 501s? I attempted to set an OU with the ca subject-name command, but doesn't seem to help.

Thanks in advance

Conlan Adams

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2873" name=GENERATOR>
<STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=EN-US vLink=purple link=blue bgColor=#ffffff>
<DIV><FONT face=Arial size=2>I may be misunderstanding you, but why do you have
to use names within your certs to activate your split tunnel?  Why can't
you define the group and create a split tunnel ACL within it on both ends to
serve as the basis for split-tunneling?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>access-list nonat permit ip <local
ip><local sub> <remote ip><remote sub></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>isakmp policy 5 authentication rsa<BR>isakmp policy
5 encryption 3des<BR>isakmp policy 5 hash sha<BR>isakmp policy 5 group
2<BR>isakmp policy 5 lifetime 86400<BR></DIV></FONT>
<DIV><FONT face=Arial size=2>vpngroup mygroup address-pool
myaddresspool<BR>vpngroup mygroup dns-server X.X.X.X<BR>vpngroup mygroup
wins-server X.X.X.X<BR>vpngroup mygroup split-tunnel nonat<BR>vpngroup mygroup
idle-time 1800<BR>vpngroup mygroup password ********</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Or are you using an EasyVPN client/server
setup?</DIV>
<DIV><BR></DIV></FONT>
<DIV><FONT face=Arial size=2>Aaron</DIV></FONT>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=conlan (at) midwesteyebanks (dot) org [email concealed]
href="mailto:conlan (at) midwesteyebanks (dot) org [email concealed]">Conlan Adams</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=firewalls (at) securityfocus (dot) com [email concealed]
href="mailto:firewalls (at) securityfocus (dot) com [email concealed]">firewalls (at) securityfocus (dot) com [email concealed]</A
>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, June 09, 2006 10:12
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> PIX to PIX Certificate VPN
question</DIV>
<DIV><BR></DIV>
<DIV class=Section1>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Stupid
question that I am having a heck of a time finding an answer for when I search
the web.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I have a
remote access setup, where I have a PIX 515E inhouse, and several 501s
outhouse.  All of them have validated certs, but I am having issues with
my split-tunnel implementation.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">After
much digging, I seem to have found that the split tunnel isn?t propagating the
ACLs because the vpngroup isn?t being set properly on the 501s.  They are
connecting, and authenticating properly, and all traffic is sent over, but
since the split-tunnel has to be assigned by name, its not carrying
over.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">The PIXs
are connecting fine, and passing traffic, just not running the
split-tunnel.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Any
thoughts on how I set the vpngroup on the 501s?  I attempted to set an OU
with the ca subject-name command, but doesn?t seem to
help.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Thanks in
advance<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Conlan
Adams<o:p></o:p></SPAN></P></DIV><BR>___________________________________
___________________________________<BR>This
email has been scanned by the MessageLabs Email Security System.<BR>For more
information please visit http://www.messagelabs.com/email
<BR>____________________________________________________________________
__<BR></BLOCKQUOTE></BODY></HTML>

[ reply ]