SSL VPN
Reply
Contributor
mcm0362
Posts: 18
Registered: ‎02-19-2008
0

Network connect split tunnelling problem

Hello,

 

I have a SA 2000 for users connect via Network Connect. I wuold like to use split tunnelling feature but it's doesn't work.

I'll try to use "Allow access to local subnet" but I have to add a manual route to access local network outside the tunnel.

 

Can you help me??

 

My SA versione is 5.3R3

 

Marco 

 

Contributor
DougR
Posts: 39
Registered: ‎01-08-2008
0

Re: Network connect split tunneling problem

The network connect 'allow access to the local subnet' is client side.  It's local network would change for each location where Network Connect was launched.  The routing should only add routes off the Internal Interface and it's subnets.  The only routes I've ever needed to add are ones for the subnet local to the Internal INterface on the SA.

 

I'm using 6.1R2 currently.

Contributor
alan
Posts: 96
Registered: ‎11-20-2007
0

Re: Network connect split tunneling problem

[ Edited ]

Agreed with DougR above.

 

Check your Network Connect Split Tunneling Policies and Network Connect Connection Profiles

 

You should not need to add any routes on the IVE. The IVE will route based on the NC Pool and the split-tunnel networks you have defined.

Message Edited by alan on 04-23-2008 11:34 AM
Contributor
mcm0362
Posts: 18
Registered: ‎02-19-2008
0

Re: Network connect split tunneling problem

Hi,

 

when I use the option "Allow access to local subnet" I see on my client that all the routing is directed to the Network connect adapter.

If I manual add on the client a static routes for the local subnet all works fine.

 

I have checked the resources policy but it is ok.

 

Many thanks

Marco 

New User
Rush
Posts: 2
Registered: ‎04-24-2008
0

Re: Network connect split tunnelling problem

One thing to keep in mind, is that split tunnelling has a specific purpose.  It is used to route certain traffic to your internal network, and force all other traffic out the users remote ISP.

 

In your split tunnelling policies, you will want to add the IP addresses (or a network range) of what you want to access on the internal network with Network connect, like:

 

172.18.0.0/16 will force all  172.18 traffic through the IVE and to the internal network.  it also works the same if you put in single IP addresses (one per line).  anything OUTSIDE the split tunnelling will be routed through their local ISP, bypassing the IVE entirely.

 

Also keep in mind that these will need to be specified in your Network Connect Access Control list with an allow policy (default policy is set to allow *:*). 

 

Another thing I've seen happen is if you have the Network Connect DHCP network server ip address conflicting with an address on your network, this causes issues with ST - by default it's set at 10.200.200.200, and can be changed under the system > network > network connect setting

 

Please give this a try and see if this helps to resolve your issue. 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.