服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 使用Cisco AnyConnect安全移动客户端v。3.0.4235进行局域网访问
Intereting Posts
zimbra与旧的电子邮件服务器冲突 Apache可以有条件地执行自定义http头的重写吗? Node.js和Apache在同一台服务器上 为什么系统日志创build一个user.log而不是使用syslog.log? 戴尔等同于惠普的hpasmcli和hpacucli工具? pure-ftpd不监听指定的端口 服务器或客户端是否应该能够validation客户端/服务器证书 – 具有已知根CA的中间证书链? Clickhouse:当使用ALTER TABLE FREEZE PARTITION时,最新分区的备份/恢复不一致 火鸟2.1:gfix -online返回“数据库closures” 如何降低Gluster FS的对等超时/降低对等的影响? 如何正确更新Cobbler的distro_signatures.json来支持SecurityOnion? 偏执狂:二进制NIC固件做什么? 如何确定Web应用程序可以处理的并发用户数? 使用iptables转发端口虽然hamachi 当我有4GB的可用内存时,Windows为什么要写入页面文件?

使用Cisco AnyConnect安全移动客户端v。3.0.4235进行局域网访问

每当我使用Cisco AnyConnect安全移动客户端v。3.0.4235(可能还有其他版本)连接到VPN服务器时,我将无法访问我的LAN。 我希望通过手动添加一些AnyConnect删除的路由来解决这个问题。

下面是我的设置,连接前后的路由。 我有一台有两个物理网卡的机器:

NIC1网关到互联网 

Address 10.191.244.10 Mask 255.255.255.0 Gateway: 10.191.244.1

NIC2 

 Address 172.16.97.1 Mask 255.255.0.0 Gateway: N/A

连接到NIC2的设备 

 Address 192.16.97.2 Mask 255.255.0.0 Gateway: N/A

编辑:请注意,VPN连接和LAN连接不在同一个物理网卡/链接上,并且两个网卡不连接到同一个networking(一个连接到10.191.244.0/24,另一个连接到172.16.97.0/ 20)。

连接到VPN之前的路由和ARP表 

 =========================================================================== Interface List 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter 1...........................Software Loopback Interface 1 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.191.244.1 10.191.244.11 261 10.191.244.0 255.255.255.0 On-link 10.191.244.11 261 10.191.244.11 255.255.255.255 On-link 10.191.244.11 261 10.191.244.255 255.255.255.255 On-link 10.191.244.11 261 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.16.0.0 255.255.0.0 On-link 172.16.97.1 261 172.16.97.1 255.255.255.255 On-link 172.16.97.1 261 172.16.255.255 255.255.255.255 On-link 172.16.97.1 261 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.191.244.11 261 224.0.0.0 240.0.0.0 On-link 172.16.97.1 261 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.191.244.11 261 255.255.255.255 255.255.255.255 On-link 172.16.97.1 261 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 10.191.244.1 Default =========================================================================== ## ARP ## Interface: 10.191.244.11 --- 0xe Internet Address Physical Address Type 10.191.244.1 c4-05-28-c9-fd-63 dynamic 10.191.244.20 00-c0-3d-00-53-0d dynamic 10.191.244.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static Interface: 172.16.97.1 --- 0xf Internet Address Physical Address Type 172.16.97.2 00-80-2f-17-26-06 dynamic 172.16.97.3 00-80-2f-17-6a-44 dynamic 172.16.255.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static

连接到VPN后的路由和ARP 

 =========================================================================== Interface List 16...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter 1...........................Software Loopback Interface 1 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.191.244.1 10.191.244.11 261 0.0.0.0 0.0.0.0 192.168.220.1 192.168.221.131 2 10.191.244.11 255.255.255.255 On-link 10.191.244.11 261 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.16.97.1 255.255.255.255 On-link 172.16.97.1 261 192.168.220.0 255.255.254.0 On-link 192.168.221.131 257 192.168.221.131 255.255.255.255 On-link 192.168.221.131 257 192.168.221.255 255.255.255.255 On-link 192.168.221.131 257 193.28.147.7 255.255.255.255 10.191.244.1 10.191.244.11 6 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.191.244.11 261 224.0.0.0 240.0.0.0 On-link 172.16.97.1 261 224.0.0.0 240.0.0.0 On-link 192.168.221.131 257 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.191.244.11 261 255.255.255.255 255.255.255.255 On-link 172.16.97.1 261 255.255.255.255 255.255.255.255 On-link 192.168.221.131 257 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 10.191.244.1 Default 0.0.0.0 0.0.0.0 192.168.220.1 1 =========================================================================== ## ARP ## Interface: 10.191.244.11 --- 0xe Internet Address Physical Address Type 10.191.244.1 c4-05-28-c9-fd-63 dynamic 10.191.244.20 00-c0-3d-00-53-0d dynamic 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static Interface: 172.16.97.1 --- 0xf Internet Address Physical Address Type 172.16.97.2 00-80-2f-17-26-06 dynamic 172.16.97.3 00-80-2f-17-6a-44 dynamic 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static Interface: 192.168.221.131 --- 0x10 Internet Address Physical Address Type 192.168.220.1 00-11-22-33-44-55 dynamic 192.168.221.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static

显示AnyConnect之前和之后路由的差异,删除了到172.16.0.0networking的路由。

我尝试添加它 

 route ADD 172.16.0.0 MASK 255.255.0.0 172.16.97.1

路由实用程序返回/打印“OK!”,但路由从未出现在路由表中。 我用提升的权限运行路由实用程序。 AnyConnect可以阻止我添加新的路由?

我的客户端有没有解决这个问题的方法? VPN服务器configuration不容易改变。

VPNpipe理员可以启用/禁用来自VPN集中器端的分离隧道。 即使您在连接到VPN的本地计算机上使用了网关,但我相信Cisco客户端可以根据您的办公室中的端点执行任何策略。

向VPNpipe理员询问这个问题…我相信他/她会很高兴的为你提供一个关于它为什么被设置的方式。 🙂

我find了解决我的问题。 我只是使用OpenConnect而不是思科自己的客户端。

OpenConnect( http://www.infradead.org/openconnect/ )是Cisco AnyConnect SSL VPN的开源客户端,围绕GnuTLS和OpenSSL构build。 它运行在BSD,Linux,Mac和Windows上。

对我来说,它解决了Linux(Ubuntu 14,使用软件包network-manager-openconnect )和Windows(Win7 64bit,使用http://www.infradead.org/openconnect/gui.html / https:// github .com / openconnect / openconnect-gui / wiki )。

下面是VPN连接OpenConnect之前和之后的路由。 将这些与172.16.0.0路由被删除的AnyConnect案例进行对比。

我现在可以享用VPN资源和我的本地局域网(特别是我的networking连接172.16.97.2上的采样设备)。

OpenConnect连接之前的路由: 

 =========================================================================== Interface List 20...00 ff 08 2c e8 75 ......TAP-Windows Adapter V9 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter 1...........................Software Loopback Interface 1 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.191.244.1 10.191.244.11 261 10.191.244.0 255.255.255.0 On-link 10.191.244.11 261 10.191.244.11 255.255.255.255 On-link 10.191.244.11 261 10.191.244.255 255.255.255.255 On-link 10.191.244.11 261 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.16.0.0 255.255.0.0 On-link 172.16.97.1 261 172.16.97.1 255.255.255.255 On-link 172.16.97.1 261 172.16.255.255 255.255.255.255 On-link 172.16.97.1 261 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.191.244.11 261 224.0.0.0 240.0.0.0 On-link 172.16.97.1 261 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.191.244.11 261 255.255.255.255 255.255.255.255 On-link 172.16.97.1 261 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 192.168.220.1 1 0.0.0.0 0.0.0.0 10.191.244.1 Default ===========================================================================

openconnect连接后的路由: 

 =========================================================================== Interface List 20...00 ff 08 2c e8 75 ......TAP-Windows Adapter V9 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter 1...........................Software Loopback Interface 1 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.191.244.1 10.191.244.11 261 0.0.0.0 0.0.0.0 192.168.220.1 192.168.221.140 2 10.191.244.0 255.255.255.0 On-link 10.191.244.11 261 10.191.244.11 255.255.255.255 On-link 10.191.244.11 261 10.191.244.255 255.255.255.255 On-link 10.191.244.11 261 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.16.0.0 255.255.0.0 On-link 172.16.97.1 261 172.16.97.1 255.255.255.255 On-link 172.16.97.1 261 172.16.255.255 255.255.255.255 On-link 172.16.97.1 261 192.168.220.0 255.255.254.0 On-link 192.168.221.140 257 192.168.221.140 255.255.255.255 On-link 192.168.221.140 257 192.168.221.255 255.255.255.255 On-link 192.168.221.140 257 193.28.147.7 255.255.255.255 10.191.244.1 10.191.244.11 6 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.191.244.11 261 224.0.0.0 240.0.0.0 On-link 172.16.97.1 261 224.0.0.0 240.0.0.0 On-link 192.168.221.140 257 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.191.244.11 261 255.255.255.255 255.255.255.255 On-link 172.16.97.1 261 255.255.255.255 255.255.255.255 On-link 192.168.221.140 257 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 10.191.244.1 Default 0.0.0.0 0.0.0.0 192.168.220.1 1 ===========================================================================

这可能是最需要的关于VPN访问的问题。

search分割隧道

简而言之,在您的VPNconfiguration中似乎没有启用分割隧道。

所以当连接到你的VPN,你最终有两个默认的网关。 

 0.0.0.0 0.0.0.0 10.191.244.1 10.191.244.11 261 0.0.0.0 0.0.0.0 192.168.220.1 192.168.221.131 2

在没有拆分隧道的情况下build立VPN接入时,基本上要求VPN客户端将所有通信路由到VPN端点。

这就是为什么你“松动”访问你的局域网。