Windows – trick out cisco vpn with routes

cisco-vpn-clientdnsroutingvpnwindows 7

I'm working on a way to trick out cisco vpn-client by modifying the routes on the local system to achive a status thats calles split-tunneling.

I know that I don't have the right to do this without the permisson of the administrator of the vpn-network and don't intend to use this. However, this is a challenge for me to better understand routing under windows, maybe even a proof of concept I could use to show some admins that relying on that checkbox in their software is of no use for security at all.

Lets go, heres what i found. Its all modified to private networking adresses. The scenario is a remote worker working from his soho-network 192.168.81.0 and connecting via cisco-vpn to his companie-network 192.168.71.0. The VPN-Host for the cisco configuration is in this example modified to 192.168.10.5.

The remote worker is connected to his soho-network via WLAN, his normal ip-settings while not in vpn looks like the following:

Drahtlos-LAN-Adapter Drahtlosnetzwerkverbindung:

   Verbindungsspezifisches DNS-Suffix: soho
   Beschreibung. . . . . . . . . . . : Intel(R) Centrino(R) Ultimate-N 6300 AGN
   Physikalische Adresse . . . . . . : 00-00-00-00-00-01
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.81.105(Bevorzugt) 
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 192.168.81.254
   DHCP-Server . . . . . . . . . . . : 192.168.81.254
   DNS-Server  . . . . . . . . . . . : 208.67.222.222
                                       8.8.8.8
                                       195.66.0.3
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

The routing table on the system looks unspectacular as expected:

===========================================================================
Schnittstellenliste
 15...24 77 03 20 82 20 ......Intel(R) Centrino(R) Ultimate-N 6300 AGN
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0   192.168.81.254   192.168.81.105     25
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
     192.168.81.0    255.255.255.0   Auf Verbindung    192.168.81.105    281
   192.168.81.105  255.255.255.255   Auf Verbindung    192.168.81.105    281
   192.168.81.255  255.255.255.255   Auf Verbindung    192.168.81.105    281
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.81.105    281
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.81.105    281
===========================================================================
Ständige Routen:
  Keine

After connecting to the vpn the virtual network device is added to the system:

Ethernet-Adapter LAN-Verbindung 2:

   Verbindungsspezifisches DNS-Suffix: 
   Beschreibung. . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit Windows
   Physikalische Adresse . . . . . . : 00-00-00-00-00-02
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.71.186(Bevorzugt) 
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 192.168.71.1
   DNS-Server  . . . . . . . . . . . : 10.2.20.12
                                       10.2.20.13
   Primärer WINS-Server. . . . . . . : 10.2.20.12
   Sekundärer WINS-Server. . . . . . : 10.2.20.13
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

Drahtlos-LAN-Adapter Drahtlosnetzwerkverbindung:

   Verbindungsspezifisches DNS-Suffix: soho
   Beschreibung. . . . . . . . . . . : Intel(R) Centrino(R) Ultimate-N 6300 AGN
   Physikalische Adresse . . . . . . : 00-00-00-00-00-01
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.81.105(Bevorzugt) 
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 192.168.81.254
   DHCP-Server . . . . . . . . . . . : 192.168.81.254
   DNS-Server  . . . . . . . . . . . : 208.67.222.222
                                       8.8.8.8
                                       195.66.0.3
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

The routing table is modified to the following:

===========================================================================
Schnittstellenliste
 22...00 00 00 00 00 02 ......Cisco Systems VPN Adapter for 64-bit Windows
 15...24 77 03 20 82 20 ......Intel(R) Centrino(R) Ultimate-N 6300 AGN
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0   192.168.81.254   192.168.81.105     25
          0.0.0.0          0.0.0.0     192.168.71.1   192.168.71.186     21
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
     192.168.71.0    255.255.255.0   Auf Verbindung    192.168.71.186    276
   192.168.71.186  255.255.255.255   Auf Verbindung    192.168.71.186    276
   192.168.71.255  255.255.255.255   Auf Verbindung    192.168.71.186    276
     192.168.81.0    255.255.255.0   Auf Verbindung    192.168.81.105    281
     192.168.81.0    255.255.255.0     192.168.71.1   192.168.71.186    281
   192.168.81.105  255.255.255.255   Auf Verbindung    192.168.81.105    281
   192.168.81.105  255.255.255.255     192.168.71.1   192.168.71.186    281
   192.168.81.254  255.255.255.255   Auf Verbindung    192.168.81.105    100
   192.168.81.255  255.255.255.255   Auf Verbindung    192.168.81.105    281
     192.168.10.5  255.255.255.255   192.168.81.254    192.168.81.105    100
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.81.105    281
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.71.186    276
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.81.105    281
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.71.186    276
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0     192.168.71.1       1
===========================================================================

As you can see, the cisco vpn client adds a default-route that has a low Metrik and sends all traffic into the tunnel. The former default-route is not removed, but AFAIR just not used because of the lower Metrik of the vpn one. Additionally, the new default-route is made permanent, which is really annoying, since its pointless, after a reboot the vpn-client won't run and the route should not be there anymore. But who knows how cisco works 😉

What made me start this challenge is the following route:

     192.168.10.5  255.255.255.255   192.168.81.254    192.168.81.105    100

As of my understanding, this route makes the whole thing work, since thats the route that the whole vpn-tunnel has to use this route to get the traffic out the real interface. So I thought, it shouldn't be to hard to modify the routing to get default traffic back out the real interface to the real gateway and just the traffic for the remote-network to the vpn-tunnel.

I startet with deleting the default routes, then adding a new default route like it was before the vpn-connection. Then adding a specific route to the remote-network:

route DELETE 0.0.0.0
route ADD 0.0.0.0 MASK 0.0.0.0 192.168.81.254 IF 15
route ADD 10.2.31.0 MASK 255.255.255.0 192.168.71.1 IF 22

After that the routing table looks fine for me:

===========================================================================
Schnittstellenliste
 22...00 00 00 00 00 02 ......Cisco Systems VPN Adapter for 64-bit Windows
 15...00 00 00 00 00 01 ......Intel(R) Centrino(R) Ultimate-N 6300 AGN
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0   192.168.81.254   192.168.81.105     26
        10.2.31.0    255.255.255.0     192.168.71.1   192.168.71.186     21
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
     192.168.71.0    255.255.255.0   Auf Verbindung    192.168.71.186    276
   192.168.71.186  255.255.255.255   Auf Verbindung    192.168.71.186    276
   192.168.71.255  255.255.255.255   Auf Verbindung    192.168.71.186    276
     192.168.81.0    255.255.255.0   Auf Verbindung    192.168.81.105    281
     192.168.81.0    255.255.255.0     192.168.71.1   192.168.71.186    281
   192.168.81.105  255.255.255.255   Auf Verbindung    192.168.81.105    281
   192.168.81.105  255.255.255.255     192.168.71.1   192.168.71.186    281
   192.168.81.254  255.255.255.255   Auf Verbindung    192.168.81.105    100
   192.168.81.255  255.255.255.255   Auf Verbindung    192.168.81.105    281
     192.168.10.5  255.255.255.255   192.168.81.254    192.168.81.105    100
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.81.105    281
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.71.186    276
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.81.105    281
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.71.186    276
===========================================================================
Ständige Routen:
  Keine

However, after this modification I can can connect to the remote-network perfectly like with the routes that the cisco vpn-client added, but not to the internet.

Since I do not see anything wrong with the routes, I checked out again, if cisco messed up my DNS system, but that is untouched on the WLAN interface.

Ethernet-Adapter LAN-Verbindung 2:

   Verbindungsspezifisches DNS-Suffix: 
   Beschreibung. . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit Windows
   Physikalische Adresse . . . . . . : 00-00-00-00-00-02
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.71.186(Bevorzugt) 
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 192.168.71.1
   DNS-Server  . . . . . . . . . . . : 10.2.20.12
                                       10.2.20.13
   Primärer WINS-Server. . . . . . . : 10.2.20.12
   Sekundärer WINS-Server. . . . . . : 10.2.20.13
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

Drahtlos-LAN-Adapter Drahtlosnetzwerkverbindung:

   Verbindungsspezifisches DNS-Suffix: soho
   Beschreibung. . . . . . . . . . . : Intel(R) Centrino(R) Ultimate-N 6300 AGN
   Physikalische Adresse . . . . . . : 00-00-00-00-00-01
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.81.105(Bevorzugt) 
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 192.168.81.254
   DHCP-Server . . . . . . . . . . . : 192.168.81.254
   DNS-Server  . . . . . . . . . . . : 208.67.222.222
                                       8.8.8.8
                                       195.66.0.3
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

This is where my horse dies and I need help from you out there. Is there anybody who can give me a hint about what I do miss and/or understand wrong? Are there any BlackHats out there?

Best Answer

I've had the same problem for a few months. I had to disconnect and had Internet access. Connect so I can have access to corporate resources.... A pain.

My temporary solution was to install a Sonatype Nexus (proxy for dependencies) under Debian Linux and connect with vpnc. Usually you can install it with apt-get/yum etc.

When this solution was not enough, I installed vpnc in my Windows machine with vpnc-fe http: // sourceforge.net/projects/vpncfe/ (VPNc Front-End) on top.

My configuration required a setting for perfect security called "Force-NTT". See this thread. Later you need to put the following script in postconnect.bat:

[Copy in case the thread goes down]

Thank you, rodekerken! Here's the final result, no manual tinkering necessary to break out the split routes:

@echo off
REM By: capt-tagon
REM 
REM Post-Script.bat to take VPNC's Route Table into Windows 7 land. Erases bad route table entries, 
REM extracts gateway, assigned IP, Netmask, and Cisco split route entries and resubmits them to 
REM Windows 7 so the routing all works. Condensed from other entries on the VPNC-FE forae and combined
REM with information gleaned from VPNC client for Linux to find all the passed parameters useful
REM to making this work. Additional by rodekerken noted below, thank you for helping finish it out.
REM
setlocal enabledelayedexpansion
echo.
echo Post-Script Begin
echo.
REM Gather Connection Data
REM 
REM Parameters passed have space at end, see "HELP SET" at Console Prompt for explanation of
REM substring extraction
REM Strip space from TUNDEV, INTERNAL_IP4_ADDRESS, VPNGATEWAY, CISCO_SPLIT_INC
REM This will be broken if VPNC-FE is fixed to not export parameters with the trailing space.
REM 
set MyTUNDev=%TUNDEV:~0,-1%
REM By: rodekerken
REM From the top of the router table printout, look for a line like
REM 14...00 ff 5d b0 44 aa ......TAP-Win32 Adapter V9 to find the if number.
REM A way to find out the interface number automatically and extractis this:
for /f "tokens=1 delims=." %%a in ('route print ^|find "TAP-Win32"') do set MyIF=%%a
set MyIP=%INTERNAL_IP4_ADDRESS:~0,-1%
set MyMask=%INTERNAL_IP4_NETMASK:~0,-1%
set MyVPN=%VPNGATEWAY:~0,-1%
REM Number of Routing Table Entries for Split Tunnel
set MyCiscoSplit=%CISCO_SPLIT_INC:~0,-1%
REM Date Time functions
set ANSIDate=%date:~10%%date:~4,2%%date:~7,2%
set StartTime=%time:~0,2%%time:~3,2%%time:~6,2%
REM Display Connection Data
echo Tunnel Device : [%MyTUNDev%]
echo Tunnel IntFace: [%MyIF%]
echo Tunnel IPAddr : [%MyIP%]
echo Tunnel NetMask: [%MyMask%]
echo Tunnel VPN-GW : [%MyVPN%]
echo .
echo Date Connected: [%ANSIDate%]
echo Time Connected: [%StartTime%]
echo .
REM Cisco Routes are 0 index, 6 Routes = 0-5
echo Cisco Split Routes: [%MyCiscoSplit%]
REM Display Bad Route Table
echo.
echo Bad Route Table
route print | find "%MyIP%"
echo.
REM Delete Bad Split Route entries and add back with proper Gateway.
REM Extract Cisco routing table information to feed to "ROUTE ADD"
REM Number of entries passed in Array Index CISCO_SPLIT_INC 
REM For x below, value is 0 to CISCO_SPLIT_INC - 1
REM Address is passed in CISCO_SPLIT_INC_x_ADDR
REM NetMask is passed in CISCO_SPLIT_INC_x_MASK
REM
REM By: rodekerken
REM A way to loop and enumerate and evaluate the routes is like this:
set /A MyCiscoSplit-=1
for /L %%i in (0,1,%MyCiscoSplit%) do (
                set SplitAddr=CISCO_SPLIT_INC_%%i_ADDR
                set SplitMask=CISCO_SPLIT_INC_%%i_MASK
        for /f %%a in ('echo !SplitAddr!') do set SplitAddrEval=!%%a!
        for /f %%a in ('echo !SplitMask!') do set SplitMaskEval=!%%a!
        echo Route%%i !SplitAddrEval! !SplitMaskEval!
        route delete !SplitAddrEval! >nul
        route add !SplitAddrEval! mask !SplitMaskEval! %MyVPN% metric 1 if %MyIF% >nul
)
REM Display Corrected Route Table
echo.
echo Corrected Route Table
route print | find "%MyVPN%"
echo.
echo Post-Script End
echo.

I've also added this routes after the "FOR":

route add 1111.120.120.0 mask 255.255.255.0 0.0.0.0 metric 1 if %MyIF%
route add 1111.185.19.0 mask 255.255.255.0 0.0.0.0 metric 1 if %MyIF%
route add 10.0.0.0 mask 255.0.0.0 0.0.0.0 metric 1 if %MyIF%

[Please note that the first two routes have incorrect/fake addresses. You need to change it anyway]

For my script to work repeatedly, you need to create a "disconnect.bat" containing the removal of routes:

route delete 1111.120.120.0
route delete 1111.185.19.0
route delete 10.0.0.0

Just my 0.02€

Best Answer

Related Solutions

Linux – Routing all traffic over VPN on Ubuntu Linux

Error with Cisco VPN client driver

Related Question