I have IPSec VPN between my remote office and my office.

I would like to split tunnel so that everything in the remote office
will go to the tunnel except the local lan.

Currently I can only split tunnel by specifying things like
permit ip network A any
permit ip network B any

then all traffic from remote office to A or B will be encrypted.

But how can I specify the *ALL but one* ?

Thanks for your help,

DT

<dt1649651@yahoo.com> wrote:

I'm not sure if I understood you correctly, but here
we go:

There's no need to exclude the local LAN IP range from
the VPN tunnel definition. PIX acts as a gateway and
when devices in the same network talk to each other
they will not use any gateways. So if your remote LAN
has an IP range 192.168.1.0/24 then you can use an
access-list like

access-list VPN permit ip 192.168.1.0 255.255.255.0 any

if you want all outgoing traffic to go through the tunnel.

Jyri Korhonen wrote:
Thanks, Jyri. My VPN terminator is a Cisco router. I have no problem
accessing the remote LANs or the Internet ( thru the VPN gateway ).

My problem is I would not be able to access the local LAN if I did not
add one more ACL to allow the traffic between my local lan subnet and
the vpn subnet.

I turn on the debug and see that all my packets from my notebook to my
local server ( yes, absolutely local ) go to the router and then go
back.

That's why I am looking for a settings which VPN Client will not tunnel
my local traffic to the VPN terminator router.

DT

if yu are using split tunnel thn only traffic in the secured routes
will go via the tunnel all your other traffic will be via your local
NIC.
if you are seeing the above behaviuor then I think the slit tunnel is
not se correctly.

rave wrote:
That's true. My problem here is if I set up for a finite set of routes,
then I can just list those routes in the ACL and it works.

But in this case, I would like to set *all* routes except one go to
tunnel. How can I exclude just one route ?

Thanks,

DT