Engineer from Télécom Paris
Ph.D Thesis from UPMC

Network & Security IT - Le RSI
Check news about my company

Split tunneling with Cisco VPN software

Enabling split tunneling with Cisco IPsec VPN client software on Linux, even if it is forbidden by the VPN concentrator !

patch for vpnclient-linux-x86_64-4.8.00.0490-k9: vpnclient-linux-x86_64-4.8.00.0490-k9.diff
Platform : Linux kernel module
Documentation : Split tunneling on the client side of a VPN tunnel is a potential security flaw. For instance, viruses can propagate easily from the public client LAN to the private internal area at the other end of the VPN tunnel. On Cisco routers and VPN concentrators, the client IPsec software is informed by the IPsec concentrator to enable or not split tunneling. The default concentrator configuration is to disable split tunneling on the client host.
Since this configuration is only enforced by the client software, a VPN administrator should not rely on the concentrator configuration. One may think it is far difficult to modify the client software, but in fact, it is very simple: for technical reasons dealing with the too many linux kernel versions available, Cisco systematically includes the sources of the kernel module in the vpnclient linux distribution. The user-space daemon is only distributed in binary format, and this is this daemon that decides or not to enable split tunneling. But the daemon makes use of the kernel module to apply this policy, so you just need to modify the kernel sources to enable split tunneling even if the user-space daemon does not want it ! More over, it is sufficient to add only one line in the linux kernel module sources to enable split tunneling. This patch, named vpnclient-linux-x86_64-4.8.00.0490-k9.diff, enables split tunneling on a client host, even if the concentrator uses the default configuration.
This patch works the following way: So, to use the patch, you only need to perform "ifdown eth1; ifup eth1" just after having set up the VPN. Any host that is not on eth1 will be reached by the VPN tunnel, and hosts on eth1 will be reached directly.

Top Articles:

ImageElectronic design: driving a 60A relay with a micro-controller
Use this device to drive a 60 Ampere relay in order to power on/off dozens of computers at once.

Image"new_station" patch for hostapd
Improve 802.1X authentication on wired IEEE 802 media, with this patch for hostapd.

Imageusbdrive.exe
Copy, manipulate and erase raw data on your usb flash drive. Essential to really get privacy with your files.

ImageHidden VNC server
This patch for WinVNC 4 allows you to install a hidden VNC server : no more tray icon.

ImageRaccorder son réseau d'entreprise à l'Internet
A free book about networks. First published by Eyrolles in 1997, and under terms of Creative Commons in 2006.
© A. Fenyo - F. Le Guern - S. Tardieu

IP phone to analog phone interface circuit
At work, people usually do not get an analog phone line anymore since numeric or IP phones appeared. See how to connect your old analog device (modem, wireless DECT phone, Minitel) only using your IP phone to get the network access: read this.

Very low cost 20MHz signal generator for ham radio HF power amplifiers testing
Learn how to make a 20MHz HF signal generator using a few simple discrete analog components. Moreover, see how a 33 years old Tektronix oscilloscope gives better results than a numeric one bought recently. The whole story is here.

Split tunneling with Cisco
Enabling split tunneling with Cisco IPsec VPN Linux client software is always possible: read this.

Modelling IEEE Spanning Tree protocols using an UML Class Diagram
To really understand the dependencies between the many Spanning Tree protocols, I wrote an UML class diagram describing their relationships here.

Motorized camera controlled by the telephone
This project demonstrates how to drive a camera from the telephone line, any details here.

External Links:

ImageMy Former Web Site
Since 04/26/01, I maintain a web site named www.fenyo.net. Since I made many updates recently, click here to access the original content, where old informations are kept. The photo is also from 2001 :-)

ImageAgnes' Web Site
Agnes, my wife, used to maintain a web server but she doesn't anymore. Thus, this pointer is disabled. However, you may contact her on LinkedIn.

ImageCanardou's Web Site
Canardou has always been for me a friend that really matters, helping me in every situation. According to informations currently available, Canardou could be affected by the H5N1 virus. So, for a few weeks, Public Health Bird Regulations have made me forbid Canardou to walk away from our appartement. Feel free to take news about him from his personal home page.

Private Links:

ImageMail for nuts
Authorized users at domain fenyo.net can read/send mails by means of this cute Squirrel (a friend of Canardou ?).