Cisco AnyConnect split tunneling on Windows 10

2

1

I'm having some issues dealing with a client's VPN.

Context:

I am an Android engineer and I'm working with a client whose resources, repositories, dashboards, email, CI/CD, etc. are behind a VPN network.

Issue:

There is a set of tools that I need to use to work on this client's App. but these tools aren't working behind the VPN because it appears that the VPN basically blocks everything (Google, Slack, Android Studio, etc.).

Question:

The iOS guys are using a tool called Shimo to do a split tunneling with the VPN and the local internet connection, so they are able to access the resources behind the VPN and use their tools.

Is there something like that for Windows 10?

Notes:

  • I've been doing (a lot) of googling trying to find a similar tool that works with Cisco AnyConnect protocols without luck.
  • I tried to set up Windows 10 VPN.
  • I actually have two computers so I've been trying to set a local network between the two computers with a shared folder, that way I can clone the Git repo from the VPN'd computer into that share folder and access it from my other computer with Android Studio and all the tools that I use. At least that was the idea, but as soon as I turn the VPN on the VPN'd computer disappears from the network.
  • Tried to do the same thing with an Amazon Workspace VM but couldn't set a share folder.
  • Would be great to get a solution that doesn't require too much effort, maybe I'm missing some Shimo-like client for Windows out there?
  • The client is not flexible about the VPN, so allowing Slack, Google and things like that to go through the VPN isn't an option.

Edit 1:

  • I've been trying to configure the Cisco's VPN Adapter to use the default gateway on the remote network, like it says on this post. But on Windows 10 there's no option for that:

Example

  • I've been trying to use OpenConnect instead of Cisco, since OpenConnect supposedly support Cisco's protocol. However, I'm not really sure about how import Cisco's profile into OpenConnect. My Cisco client works with a hostname for the VPN, a username, a password, you need to pick a group and after that you need to put a 2FA token that I get through the Symantec VIP App. I'm not really sure how to configure all this on OpenConnect:

Config example

4gus71n

Posted 2019-06-18T16:54:30.823

Reputation: 21

I have a similar issue with Cisco VPN as client blocks everything. I therefore made a Windows 10 VM to connect to client (via AnyConnect) and the host can connect to internet as normal. Would that work for you? – lx07 – 2019-06-18T17:11:22.153

@lx07 Thanks for the comment. Yeah, the thing is that I'm running Android Studio (eats a lot of ram), Postman, design tools, Slack, tons of things, if I add a VM machine to all that I'm pretty sure that my computer is going to run as fast as a brick. – 4gus71n – 2019-06-18T18:17:09.543

The Cisco AnyConnect client must be blocking out the local network for the computer. This is dictated by the VPN server, but apparently the Shimo client can ignore it. Try using OpenConnect, described as "an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN" since "the Cisco client ... found it to have many deficiencies".

– harrymc – 2019-06-20T19:34:42.083

@harrymc TBH I've been trying so many different VPN clients that I don't remember if I tried with OpenConnect or not. I think I did. But I think that I wasn't enable to replicate CistoAny Connect's profile there. I'll give it a try once more and I'll let you know. Thanks for the info. – 4gus71n – 2019-06-21T00:07:19.983

Let me know what you try and how you configured OpenConnect. Might be worth adding to the post. – harrymc – 2019-06-21T06:29:32.907

This approach works, as see this success story. I can't test myself, as I don't have OpenConnect installed, but perhaps this article will help.

– harrymc – 2019-06-21T08:37:20.967

@harrymc I updated the post. Still doing research, I'm trying to see if I can find some sort of script online that turns Cisco's profile into something that I can use on OpenConnect, or any other VPN client. – 4gus71n – 2019-06-22T14:56:52.303

This is too long for comments, so I have started an answer. – harrymc – 2019-06-22T19:26:50.207

Answers

2

The Cisco AnyConnect client must be blocking out the local network for the computer. This is dictated by the VPN server, but apparently the Shimo client can ignore it.

A replacement VPN client is OpenConnect, described as "an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN" since "the Cisco client ... found it to have many deficiencies".

To extract the login details of Cisco AnyConnect, this might be found in the file %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile, which is (or contains) an XML file.

This XML file might contain the tag HostAddress, which has the address of your VPN server. Note that it can also be HostName and there might be multiple tags. You need to pick the right one.

You might also need the VPN group as well. In that case, search for the keyword group in the XML (and probably XSD) to get the required group information.

More information about the structure of the XML file can be found in the article
Anyconnect XML preferences.

This is as far as I can go without having both products on my computer. Feel free to add to my answer any additional steps that you took.

harrymc

Posted 2019-06-18T16:54:30.823

Reputation: 306 093

Asked: 2019-06-18T16:54:30.823

Viewed: 1 458 times

Active: 2019-06-22T19:26:06.423