Meraki

from_afar · ‎Nov 19 2024

I'm trying to solve an issue with some Mac users that are having problems with our tunnel all config on AnyConnect (we must use tunnel all for our AnyConnect VPN users for various reasons). The Mac users aren't necessarily under this constraint so could have tunnel all turned off. However, there doesn't seem to be a way to do this with AnyConnect (I tried checking if I could create separate profiles for them but didn't see a way to accomplish this).

This leaves setting up IPSec VPN for them to use. However, after setting IPSec up, I could not get it to connect with AnyConnect still installed on the Macbooks (there is the Socket Filter and other utilities that can't be turned off--or just turn themselves right back on if disabled--not sure if this is why) but once AnyConnect was fully uninstalled, the IPSec tunnel works. I thought this might be the answer since in the Options settings for the VPN, there is the option to "send all traffic over VPN" which can be turned on and off. But when I try this, it doesn't seem to allow any traffic to the LAN to connect when "send all traffic over VPN" is turned off.

What traffic should be sent over the VPN if "send all traffic over VPN" is unchecked? It seems like when I uncheck the "Send all traffic" checkbox, I cannot reach anything on the LAN when the VPN is connected. I can't ping, nslookup, or reach any intranet sites or anything. When "send all traffic" is checked, I can reach everything on the LAN fine.

Is there some way to either turn of send all traffic with AnyConnect for just "some" users, or is there some way to determine what traffic is sent over the VPN when IPSEC VPN is connected and "send all traffic over VPN" is un-checked?

Thanks.

Tony-Sydney-AU · ‎Apr 22 2025

Hello @from_afar ! Hope you're doing great!

That's a cool topic I personally enjoy talking about: Anyconnect and IPSec Client VPN routing, full and split tunnel.

Your questions are great so I'm answering quoting you on each one.

1) [main question and topic here] "MacOS is it possible to run AnyConnect and IPSEC tunnels at the same time? Or how does IPSEC work?"

Answer-1) Yes, it's possible; two different client VPN types can to co-exist as long as there are no overlapping routes or interface addresses. And this is a general routing principle that applies to any Operating System, not just MacOS. IPSec works just like any tunnel interface: it will either route all traffic via tunnel to the VPN server or gateway if it's configured to do full tunnel (or tunnel all as you call it); or it will route via tunnel some packets only (split-tunnel).

This document explaining how to configure split-tunnel starts with a nice diagram and overview describing this. It talks about IPSec Client VPN but that's the same principle for Anyconnect.

Now, the difference between Anyconnect and IPSec is that IPSec requires you to manually configure the destinations that must flow via tunnel. On the other hand, Anyconnect can configure the destinations at the VPN server or gateway.

You can check details on how to configure split-tunnel in Anyconnect in this document here.

I don't know much about your network design but I'm sharing an example based on my own experience in support. Imagine the following scenario:

A MacOS laptop needs to do Anyconnect VPN while still able to access his local network 192.168.1.0/24. At the same time, this remote user laptop must access the Internet using his own ISP link. This requirement is key as We want to leave more Internet speed to MX. MX is serving Anyconnect and the remote user MacOS laptop must access the following VLANs/subnets behind MX: VLAN1 = 172.16.1.0/24 ; VLAN2 = 172.16.2.0/24.

In this scenario, you would configure Anyconnect Client routing option to "Only send traffic going to these destinations" and then add 172.16.1.0/24 and 172.16.2.0/24. Doing this would configure split-tunnel with the Anyconnect software running in MacOS adding this routing rules. As a result, this laptop would access his local network 192.168.1.0/24 and the Internet using it's own local interface and only using Anyconnect VPN tunnel when accessing a resource within 172.16.1.0/24 and 172.16.2.0/24.

You could do it with IPSec VPN as well. But it would require you to do a lot of manual configurations at the MacOS client side. It's all in This document explaining how to configure split-tunnel.

Hope this information is useful. Feel free to reply here if you have further questions / concerns.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.