I may be misunderstanding you, but why do you have to use names within your
certs to activate your split tunnel? Why can't you define the group and create
a split tunnel ACL within it on both ends to serve as the basis for
split-tunneling?
access-list nonat permit ip <local ip><local sub> <remote ip><remote sub>
isakmp policy 5 authentication rsa
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
vpngroup mygroup address-pool myaddresspool
vpngroup mygroup dns-server X.X.X.X
vpngroup mygroup wins-server X.X.X.X
vpngroup mygroup split-tunnel nonat
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
Or are you using an EasyVPN client/server setup?
Aaron
----- Original Message -----
From: Conlan Adams
To: firewalls@securityfocus.com
Sent: Friday, June 09, 2006 10:12 AM
Subject: PIX to PIX Certificate VPN question
Stupid question that I am having a heck of a time finding an answer for when
I search the web.
I have a remote access setup, where I have a PIX 515E inhouse, and several
501s outhouse. All of them have validated certs, but I am having issues with
my split-tunnel implementation.
After much digging, I seem to have found that the split tunnel isn't
propagating the ACLs because the vpngroup isn't being set properly on the 501s.
They are connecting, and authenticating properly, and all traffic is sent
over, but since the split-tunnel has to be assigned by name, its not carrying
over.
The PIXs are connecting fine, and passing traffic, just not running the
split-tunnel.
Any thoughts on how I set the vpngroup on the 501s? I attempted to set an OU
with the ca subject-name command, but doesn't seem to help.
Thanks in advance
Conlan Adams
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
