Problem VPN Split-Tunneling

I have a similar problem with PANOS 4.1.6 and 4.1.7 , but also with only one access-route. It summarize in a strange manner.  If I specify an access-route like 192.168.11.0/24 it summarize like 192.0.0.0/254.0.0.0, but if I specify an access-route like 172.16.0.0/12 it summarize like 128.0.0.0/128.0.0.0, if I specify an access-route like 10.0.0.0/8 it summarize like 0.0.0.0/0.

Hello,

I have a similar setup in lab where I am allowing two networks through access routes and my routes are NOT being summarized:

100.1.1.0    255.255.255.0      10.16.0.252     10.16.0.252       1

100.1.2.0    255.255.255.0      10.16.0.252     10.16.0.252       1

Access routes are only summarized on iOS devices and should be listed as individual networks on Windows/Linux machines. Please open a Support case so that we can further look into the issue.

Thanks,

Sri

Hi everybody.

Sri, I've configured our firewall with your two access routes: 100.1.1.0/24 and 100.1.2.0/24 and this is the client routing table:

IPv4 Tabla de enrutamiento

===========================================================================

Rutas activas:

Destino de red        Máscara de red   Puerta de enlace   Interfaz  Métrica

          0.0.0.0          0.0.0.0              192.168.1.5     192.168.1.20     25

        100.1.0.0    255.255.252.0     192.168.46.3     192.168.46.2    100

As you can see, it summarizes the routes. I'm using Cisco VPN Client version 5.0.

Please, could you tell me your configuration? I'll try to open a case.

Thank you very much.

Hello,

in my lab with a PAN2020 and PANOS 4.1.7, I have inserted two access-route like yours,

but in my Cisco VPN client v. 5.0.0.7 on Windows XP, secured routes shows this

If I insert only one access-route like 192.168.11.0/24, secured routes shows 192.0.0.0 254.0.0.0

Thanks,

Lauro

Thanks Lauro. It is very strange behavior. Let's see if together we can find the solution.

Hello,

I have done some tests in my lab and my idea is following:

• it depends by insertion of primary/secondary DNS and the combination of access routes
• the system tries to summarize the networks from the DNS, if present, and the access routes inserted. If exists a super network that summarizes all, than this network is tunneled, otherwise the split-tunnel is 0.0.0.0/0

• my opinion is that is not correct, because I should have the possibility to split single networks and single DNS. In my routing table I should have all the single networks that I specified in access routes (in the help row below the panel configuration is written "These routes will be added to the client's routing table"  plural: these routes :smileywink:  )
  

Thanks.

Lauro

Hi Lauro.

You're right. I've carried out some tests by changing DNS configuration in GlobalProtect Gateway. As you say, it tries to summarize all the networks: DNS networks and access routes networks........ what a folly!!!

It'd be a good idea that Sri could specify here his GlobalProtect configuration.

Thank you.

Hello,

I am using GP client 1.1.5. I have not tested this with a Cisco VPN client.

Thanks,

Sri

Hello Sri.

I've tested this with a Cisco VPN client in a Windows machine, Cisco VPN Client in a Linux Machine, vpnc daemon in a Linux Machine, Shrew software in a Linux machine and Shrew software in a Windows Machine, with the same result....

Is it a compatibility problem of PaloAlto devices? I think IPSec connections are based on a RFC standard..............

Thank you very much...