1

My question is related to this: How to force split tunnel routing on Mac to a Cisco VPN

I am having though a bit of hard time figuring out what to do. The problem I have is that, after I connect to the VPN, the internet becomes much slower (the cisco client has been configured with split-tunnel I think). I am not too sure if all my internet traffic goes to the vpn server and back. Someone asked this question: Cisco VPN Client - External URL are tracked?, however, it's not clear to me whether the traffic is logged or not by the company. Every time I access a page the statistics for the cisco client changes. Does it mean that my network traffic reaches the vpn server and is logged?

Using the Network Utility, netstat displays a lot of connections established through the utun0 which is the interface created by the vpn client.

I also noticed that cisco vpn client has added all sorts of rules to the list (viewable via sudo ipfw list). There are ip addresses in the list that I don't know what they are. The interesting thing is that I don't see anymore the ip addresses of the servers that I have access to.

So, I want my internet speed to get back to the way it was and I want only the requests to the internal servers I have access to to go to the VPN server.

Is this achievable? Let me know if there is more information that I should provide.

Thanks

boggy
  • 155
  • 8

1 Answers1

0

It should be achievable as long as you have local admin access. As indicated in the links you've provided what you basically need to do it alter routing tables such that all traffic to particular servers/networks goes only via the VPN while the rest goes out through the standard Internet interface.

To test you can use something like 'traceroute' to track the pathway that a packet is likely to take as it goes to a destination.

http://en.wikipedia.org/wiki/Traceroute

Another way is to use a packet sniffer like 'Wireshark' to see which interface traffic goes to when you go for traffic to a particular destination.

Namely, does it go through the VPN to the Internet and vice-versa or does it go straight to the Internet. What I'm guessing we're seeing here is basically the application is misconfigured?

Sorry, coming to grips with this website...

Anyhow, Mac OS X essentially uses a BSD core which means it's reliant on tools from the same heritage. It also means that if you think carefully, ipfw (firewall) and the routing tables can obviously overlap (rejected/redirected traffic from ipfw can automatically force traffic to take a different route than normal).

http://freebsd.org/doc/en/books/handbook/firewalls-ipfw.html

So how do you deal with this?

Ask for the admin to reconfigure the device/client/application in question to give you more normal routing tables.

Stop Cisco AnyConnect from locking down the NIC

Try and find away around these problems by invoking local admin rights (don't have test gear so can't tests) and altering the rulesets in question to give you more normal routing behaviour.

Cisco AnyConnect profile keeps getting overwritten

Setting up the client within a virtual machine so that the routing rules are pushed to that particular operating system and not your base system.

http://www.vmware.com/au

https://www.virtualbox.org/

Community
  • 1
dtbnguyen
  • 493