使用 Cisco AnyConnect 安全移动客户端 v. 3.0.4235 进行 LAN 访问

Question

每当我使用 Cisco AnyConnect Secure Mobility Client v. 3.0.4235（可能还有其他版本）连接到 VPN 服务器时，我就无法访问我的 LAN。我希望通过手动添加一些 AnyConnect 删除的路由来解决此问题。

以下是我的设置，连接前后的路线。我有一台带有两个物理网卡的机器：

NIC1互联网网关

Address 10.191.244.10
Mask 255.255.255.0
Gateway: 10.191.244.1

网卡2

Address 172.16.97.1
Mask 255.255.0.0
Gateway: N/A

连接到 NIC2 的设备

Address 192.16.97.2
Mask 255.255.0.0
Gateway: N/A

编辑：请注意 VPN 连接和 LAN 连接不在同一个物理网卡/链路上，并且两个网卡没有连接到同一个网络（一个连接到 10.191.244.0/24，另一个连接到 172.16.97.0/ 20)。

连接到 VPN 之前的路由和 ARP 表

===========================================================================
Interface List
 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2
 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.191.244.1    10.191.244.11    261
     10.191.244.0    255.255.255.0         On-link     10.191.244.11    261
    10.191.244.11  255.255.255.255         On-link     10.191.244.11    261
   10.191.244.255  255.255.255.255         On-link     10.191.244.11    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.0.0      255.255.0.0         On-link       172.16.97.1    261
      172.16.97.1  255.255.255.255         On-link       172.16.97.1    261
   172.16.255.255  255.255.255.255         On-link       172.16.97.1    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     10.191.244.11    261
        224.0.0.0        240.0.0.0         On-link       172.16.97.1    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     10.191.244.11    261
  255.255.255.255  255.255.255.255         On-link       172.16.97.1    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     10.191.244.1  Default 
===========================================================================

## ARP ##
Interface: 10.191.244.11 --- 0xe
  Internet Address      Physical Address      Type
  10.191.244.1          c4-05-28-c9-fd-63     dynamic   
  10.191.244.20         00-c0-3d-00-53-0d     dynamic   
  10.191.244.255        ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static    

Interface: 172.16.97.1 --- 0xf
  Internet Address      Physical Address      Type
  172.16.97.2           00-80-2f-17-26-06     dynamic   
  172.16.97.3           00-80-2f-17-6a-44     dynamic   
  172.16.255.255        ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static    

连接到 VPN 后的路由和 ARP

===========================================================================
Interface List
 16...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2
 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.191.244.1    10.191.244.11    261
          0.0.0.0          0.0.0.0    192.168.220.1  192.168.221.131      2
    10.191.244.11  255.255.255.255         On-link     10.191.244.11    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      172.16.97.1  255.255.255.255         On-link       172.16.97.1    261
    192.168.220.0    255.255.254.0         On-link   192.168.221.131    257
  192.168.221.131  255.255.255.255         On-link   192.168.221.131    257
  192.168.221.255  255.255.255.255         On-link   192.168.221.131    257
     193.28.147.7  255.255.255.255     10.191.244.1    10.191.244.11      6
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     10.191.244.11    261
        224.0.0.0        240.0.0.0         On-link       172.16.97.1    261
        224.0.0.0        240.0.0.0         On-link   192.168.221.131    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     10.191.244.11    261
  255.255.255.255  255.255.255.255         On-link       172.16.97.1    261
  255.255.255.255  255.255.255.255         On-link   192.168.221.131    257
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     10.191.244.1  Default 
          0.0.0.0          0.0.0.0    192.168.220.1       1
===========================================================================


## ARP ##
Interface: 10.191.244.11 --- 0xe
  Internet Address      Physical Address      Type
  10.191.244.1          c4-05-28-c9-fd-63     dynamic   
  10.191.244.20         00-c0-3d-00-53-0d     dynamic   
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static    

Interface: 172.16.97.1 --- 0xf
  Internet Address      Physical Address      Type
  172.16.97.2           00-80-2f-17-26-06     dynamic   
  172.16.97.3           00-80-2f-17-6a-44     dynamic   
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static    

Interface: 192.168.221.131 --- 0x10
  Internet Address      Physical Address      Type
  192.168.220.1         00-11-22-33-44-55     dynamic   
  192.168.221.255       ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static 

前后路由的差异表明 AnyConnect 删除了一条到 172.16.0.0 网络的路由。

我试着把它加回来

route ADD 172.16.0.0 MASK 255.255.0.0 172.16.97.1

路由实用程序返回/打印“OK！”，但此后路由从未出现在路由表中。我使用提升的权限运行路由实用程序。AnyConnect 可以阻止我添加新路由吗？

在我的（客户端）端有没有办法解决这个问题？VPN 服务器配置不容易更改。

Answer 1

我找到了解决我的问题的方法。我只是使用 OpenConnect 而不是 Cisco 自己的客户端。

OpenConnect ( http://www.infradead.org/openconnect/ ) 是 Cisco 的AnyConnect SSL VPN 的开源客户端，围绕 GnuTLS 和 OpenSSL 构建。它在 BSD、Linux、Mac 和 Windows 上运行。

对我来说，它解决了在Linux问题（14 Ubuntu的使用包网络管理器- openconnect）和Windows（64位Win7的使用http://www.infradead.org/openconnect/gui.html / https：//开头的github .com/openconnect/openconnect-gui/wiki）。

以下是与 OpenConnect 建立 VPN 连接前后的路由。将这些与 AnyConnect 情况进行对比，其中 172.16.0.0 路由被删除。

我现在可以访问 VPN 资源和我的本地 LAN（特别是我在 172.16.97.2 上的网络连接采样设备）。

OpenConnect 连接之前的路由：

===========================================================================
Interface List
 20...00 ff 08 2c e8 75 ......TAP-Windows Adapter V9
 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2
 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.191.244.1    10.191.244.11    261
     10.191.244.0    255.255.255.0         On-link     10.191.244.11    261
    10.191.244.11  255.255.255.255         On-link     10.191.244.11    261
   10.191.244.255  255.255.255.255         On-link     10.191.244.11    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.0.0      255.255.0.0         On-link       172.16.97.1    261
      172.16.97.1  255.255.255.255         On-link       172.16.97.1    261
   172.16.255.255  255.255.255.255         On-link       172.16.97.1    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     10.191.244.11    261
        224.0.0.0        240.0.0.0         On-link       172.16.97.1    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     10.191.244.11    261
  255.255.255.255  255.255.255.255         On-link       172.16.97.1    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    192.168.220.1       1
          0.0.0.0          0.0.0.0     10.191.244.1  Default 
===========================================================================

openconnect 连接后的路由：

===========================================================================
Interface List
 20...00 ff 08 2c e8 75 ......TAP-Windows Adapter V9
 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2
 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.191.244.1    10.191.244.11    261
          0.0.0.0          0.0.0.0    192.168.220.1  192.168.221.140      2
     10.191.244.0    255.255.255.0         On-link     10.191.244.11    261
    10.191.244.11  255.255.255.255         On-link     10.191.244.11    261
   10.191.244.255  255.255.255.255         On-link     10.191.244.11    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.0.0      255.255.0.0         On-link       172.16.97.1    261
      172.16.97.1  255.255.255.255         On-link       172.16.97.1    261
   172.16.255.255  255.255.255.255         On-link       172.16.97.1    261
    192.168.220.0    255.255.254.0         On-link   192.168.221.140    257
  192.168.221.140  255.255.255.255         On-link   192.168.221.140    257
  192.168.221.255  255.255.255.255         On-link   192.168.221.140    257
     193.28.147.7  255.255.255.255     10.191.244.1    10.191.244.11      6
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     10.191.244.11    261
        224.0.0.0        240.0.0.0         On-link       172.16.97.1    261
        224.0.0.0        240.0.0.0         On-link   192.168.221.140    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     10.191.244.11    261
  255.255.255.255  255.255.255.255         On-link       172.16.97.1    261
  255.255.255.255  255.255.255.255         On-link   192.168.221.140    257
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     10.191.244.1  Default 
          0.0.0.0          0.0.0.0    192.168.220.1       1
===========================================================================

Answer 2

这可能是问得最多的有关 VPN 访问的问题。

搜索分割隧道

简而言之，您的 VPN 配置中似乎没有启用分割隧道。

因此，当连接到 VPN 时，您最终会得到两个默认网关。

0.0.0.0          0.0.0.0     10.191.244.1    10.191.244.11    261
0.0.0.0          0.0.0.0    192.168.220.1  192.168.221.131      2

在不使用拆分隧道的情况下设置 VPN 访问时，您基本上会要求 VPN 客户端通过 VPN 端点路由所有流量。

这就是您“失去”对 LAN 的访问权限的原因。