Добрый день.
Столкнулся с подобной проблемой, не работает одновременно VPN туннель и доступ в интернет. Проблема со split-tunnel только на 2911 ios 15.1.4M2 версии, подобный конфиг отлично работает на 1841 ios v12.4. Может кто-то решил эту проблему? Конфиг ниже.
Сервер EzVPN:
- ASA 5510
Клиенты:
- EzVPN client cisco 1841, ios v12.4
- EzVPN client cisco 2911, ios v 15.1.4M2
На клиенте настроено:
crypto isakmp policy 10
encr aes 256
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
crypto ipsec client ezvpn EZ-BACKUP
connect auto
mode network-extension
peer x.x.x.42
peer y.y.y.242
acl EZVPN-ROUTEINJECTION
virtual-interface 1
username TEST password TEST
xauth userid mode local
crypto ipsec client ezvpn EZ
connect auto
backup EZ-BACKUP track 102
mode network-extension
peer y.y.y.242
peer x.x.x.42
acl EZVPN-ROUTEINJECTION
virtual-interface 1
username TEST password TEST
xauth userid mode local
ip access-list extended EZVPN-ROUTEINJECTION
permit ip 192.168.248.0 0.0.0.255 any
permit ip 10.1.248.0 0.0.0.255 any
int gi0/0
interface gi0/0
description DMZ $FW_INSIDE$
ip address 10.1.248.21 255.255.255.0
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
ip nat inside
crypto ipsec client ezvpn EZ inside
crypto ipsec client ezvpn EZ-BACKUP inside
exit
interface gi0/1
description MAIN-CHANNEL $FW_OUTSIDE$
ip address z.z.z.z 255.255.255.248
no ip proxy-arp
ip nbar protocol-discovery
ip virtual-reassembly
ip route-cache flow
ip nat outside
crypto ipsec client ezvpn EZ
exit
interface gi0/2
description SECOND-CHANNEl $FW_OUTSIDE$
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
exit
interface Dialer0
description PPPoE BACKUP-CHANNEL-to-Internet $FW_OUTSIDE$
bandwidth 10000
ip address negotiated
no ip redirects
no ip unreachable
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
no cdp enable
ppp authentication pap callin
ppp pap sent-username TEST password TEST
ip nat outside
crypto ipsec client ezvpn EZ-BACKUP
exit
interface Virtual-Template1 type tunnel
description VPN CISCO-CISCO DIALOUT $FW_OUTSIDE$
no ip address
ip virtual-reassembly
no logging event link-status
tunnel mode ipsec ipv4
exit
route-map NAT-Init-Main permit 10
match ip address NAT-Init
match interface gi0/1
route-map NAT-Init-Backup permit 10
match ip address NAT-Init
match interface Dialer0
ip access-list extended NAT-Init
deny ip 192.168.248.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.248.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.1.248.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.1.248.0 0.255.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.248.0 0.0.0.255 any
permit ip 10.1.248.0 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 gi0/1 30 track 102
ip route 0.0.0.0 0.0.0.0 Dialer0 40 track 202
Ip nat inside source route-map NAT-Init-Main interface GigabitEthernet0/1 overload
ip nat inside source route-map NAT-Init-Backup interface dialer 0 overload