Problem solve Get help with specific problems with your technologies, process and projects.

Split-tunnel Cisco IPsec VPN gateway with software client

This article covers the steps of building a Cisco router-based VPN gateway and software client using a split-tunneling traffic model in which only traffic to secured networks is encrypted and all other traffic is forwarded unsecured.

Now that we've reviewed transom sets and crypto maps, we can move on to the next step in building the IOS router-based VPN gateway to support the Cisco IPsec software and hardware client. Cisco's support for its "3000 based" VPN client was introduced in the 12.2T code base and the majority of the feature set was developed in the 12.2 train. Two different ways of deploying the software VPN client evolved. I refer to these as the "Old School" and "New School" models. The first VPN gateway configuration example we will examine is a split-tunnel client topology implemented following the "Old School" model.

The VPN gateway configuration above supports a split-tunneling traffic model in which only traffic to the secured networks is encrypted and all other traffic is forwarded unsecured. Many security professionals consider this model to be less secure than a "full-crypto" model. That's because when users are connected to the gateway, they are connected to two networks simultaneously. So there is a potential that any virus or security breach that originates from the unsecured network could breach the secured network through the connected host. Security concerns aside, this is a very popular model for most VPN gateway implementations. It secures the traffic that needs to be and does not require that the gateway have the bandwidth or take on the overhead of processing all of the connected users' traffic.

Split-tunnel (Old School) VPN gateway configuration
The configuration below will secure network communications between the VPN client pool address space and the hosts and servers connected to the, and LAN subnets. The VPN gateway configuration is comprised of two parts: ISAKMP and crypto map configuration. Here are the steps:

ISAKMP configuration

A. Create ISAKMP policy:


  1. Create policy entries
  2. Define Phase 1 encryption
  3. Define Phase 1 hash
  4. Define Phase 1 authentication
  5. Define DH exchange key size


 outlan-rt05(config)#crypto isakmp policy 10 outlan-rt05(config-isakmp)# encryption 3des outlan-rt05(config-isakmp)# hash md5 outlan-rt05(config-isakmp)# authentication pre-share outlan-rt05(config-isakmp)# group 2 outlan-rt05(config-isakmp)#exit

B. Configure AAA user and group authentication and accounting:


  1. Enable AAA new model
  2. Define VPN XAUTH user authentication
  3. Define VPN XAUTH group authentication
  4. Define VPN XAUTH group authorization
  5. Create local accounts


 outlan-rt05(config)#aaa new-model outlan-rt05(config)#aaa authentication login default local outlan-rt05(config)#aaa authentication login userauth local outlan-rt05(config)#aaa authorization network groupauth local outlan-rt05(config)#username root password root

C. Create IP address pool:


 outlan-rt05(config)# ip local pool OS-VPN

D. Create loopback interface associated with the address pool:


 outlan-rt05(config)#interface loopback 90 outlan-rt05(config-if)#ip address

E. Create split-tunneling ACL:


 outlan-rt05(config)#$ access-list 100 permit outlan-rt05(config)#$ access-list 100 permit outlan-rt05(config)#$ access-list 100 permit

F. Create client configuration group:


  1. Define group name
  2. Group key
  3. DNS server
  4. Netmask
  5. ACL
  6. Maximum logins
  7. Maximum users
  8. Address pool
  9. Enable client to save XAUTH password
  10. Connection banner


 outlan-rt05(config)#crypto isakmp client configuration group Old-School outlan-rt05(config-isakmp-group)# key secretkey outlan-rt05(config-isakmp-group)#dns outlan-rt05(config-isakmp-group)#netmask outlan-rt05(config-isakmp-group)#backup-gateway outlan-rt05(config-isakmp-group)#domain outlan-rt05(config-isakmp-group)#acl 100 outlan-rt05(config-isakmp-group)#max-login 1 outlan-rt05(config-isakmp-group)#max-users 13 outlan-rt05(config-isakmp-group)#pool OS-VPN outlan-rt05(config-isakmp-group)#save-password outlan-rt05(config-isakmp-group)#banner ^ Enter TEXT message. End with the character '^'. You are connected to All transactions are monitored. ^ outlan-rt05(config-isakmp-group)#

G . Configure Compound TCP (CTCP) port definitions (and disable http and https services on the router):


 outlan-rt05(config)#crypto ctcp port 443 10000 outlan-rt05(config)#no ip http server outlan-rt05(config)#no ip http secure-server

H. Configure NAT transparency keepalive:


 outlan-rt05(config)#crypto isakmp nat keepalive 20

Crypto map configuration

A. Create transform set:


  1. Define Phase 2 encryption
  2. Define Phase 2 hash
  3. Enable IP compression


 outlan-rt05(config)#$ crypto transform-set 3DES-MD5-LZS esp-3des esp-md5-hmac comp-lzs

B. Create dynamic crypto map:


  1. Define transform set
  2. Define client route handling


 outlan-rt05(config)#crypto dynamic-map OLD-SCHOOL 10 outlan-rt05(config-crypto-map)# set transform-set 3DES-MD5-LZS outlan-rt05(config-crypto-map)# reverse-route

C. Create static crypto map:


  1. Create static crypto map with authentication and dynamic crypto map reference
  2. Define VPN client authentication list
  3. Define client ISAKMP authorization list
  4. Define VPN client IP address configuration


 outlan-rt05(config)#crypto map SW-Client 10 ipsec-isakmp dynamic OLD-SCHOOL outlan-rt05(config)#crypto map SW-Client client authentication list userauth outlan-rt05(config)#crypto map SW-Client isakmp authorization list groupauth outlan-rt05(config)#crypto map SW-Client client configuration address respond

D. Create interface access ACL:


 outlan-rt05(config)#access-list 101 permit tcp any host eq 22 outlan-rt05(config)#access-list 101 permit tcp any host eq 23 outlan-rt05(config)#access-list 101 permit tcp any host eq telnet outlan-rt05(config)#access-list 101 permit tcp any host eq 443 outlan-rt05(config)#access-list 101 permit tcp any host eq 10000 outlan-rt05(config)#access-list 101 permit tcp any host established

E. Install crypto map:


  1. Apply map to "unsecured" router interface
  2. Install VPN access ACL
  3. Configure IP routing


 outlan-rt05(config)#interface FastEthernet0/0 outlan-rt05(config-if)#crypto map SW-Client outlan-rt05(config-if)#ip access-group 101 in outlan-rt05(config-if)#exit outlan-rt05(config)#ip route outlan-rt05(config)#ip route outlan-rt05(config)#ip route

Create VPN client policy

Read our entire series of step-by-step articles on building Cisco IPsec VPNs

 With the VPN gateway completed, the last step is to create the VPN client policy. The Cisco VPN client software comes with all VPN licensed routers and with standalone hardware crypto modules (VAM and AIM hardware adapters). The software can also be downloaded from The client is available for Windows, Mac OS, and Linux. The Windows and Mac OS version has a GUI interface. There are two ways to build the profile. The first is to build a base configuration text file with the core connection variables defined, and then import the file into the client. Here is the profile for the Old School VPN gateway we configured above:


 [main] Host= AuthType=1 GroupName=Old-School GroupPwd=secretkey TunnelingMode=1 TcpTunnelingPort=443

To import the configuration, you launch the client GUI and click the "import" button. Once you connect to the VPN gateway, the client application will add the remaining client variables, including the group password in encrypted form.

The other approach is to build the profile for the client profile using the GUI. The build process begins by clicking the "New" button, which opens a profile configuration window:

When building the profile through the GUI, you need the following data points:


  • VPN gateway IP address
  • The ISAKMP client configuration group name
  • The ISAKMP client configuration group key

Once the VPN gateway address and group authentication data has been configured, the "Transport" tab is next.

The transport section provides the configuration interface for the CTCP or NAT traversal options for the client. The split-tunnel VPN configuration supports both NAT-T and CTCP, but only one tunneling option can be set for a profile. In the example above, the profile is configured to support CTCP listening on port 443. The last configuration step is to provision a backup VPN gateway by checking the "Enable Backup Servers" function on the "Backup Servers" tab.

Implementing a backup VPN gateway is a good idea if you're implementing a critical access service. If the backup server is defined as part of the ISAKMP group configuration, it will be pushed down to the VPN client profile when the initial connection is established. Alternatively, it can be configured as part of the VPN client profile build.

 Now that we've covered the split-tunnel model, go to the main page of this series to learn how to build a full-crypto topology and all the details about implementing VPN gateways using Cisco routers.

This was last published in August 2008

Dig Deeper on Network Security