Cisco Easy Vpn Client For Mac

  1. Cisco Vpn Client 5 Download
  2. Cisco Easy Vpn Client Download Mac
Active7 months ago

How can I maintain local LAN access while connected to Cisco VPN?

When connecting using Cisco VPN, the server has to ability to instruct the client to prevent local LAN access.

Assuming this server-side option cannot be turned off, how can allow local LAN access while connected with a Cisco VPN client?

I used to think it was simply a matter of routes being added that capture LAN traffic with a higher metric, for example:

Mark9586 wrote: Nope. I run EZ VPN on a win7 pro 64 machine regularly. Version I have not had to do anything to make it work. This VPN client is well EOL so it may be that Cisco have removed it. Threats can occur through a variety of attack vectors. You need secure connectivity and always-on protection for your endpoints. Deploy Cisco endpoint security clients on Mac, PC, Linux, or mobile devices to give your employees protection on wired, wireless, or VPN.

And trying to delete the 10.0.x.x -> route don't have any effect:

And while it still might simply be a routing issue, attempts to add or delete routes fail.

At what level is Cisco VPN client driver doing what in the networking stack that takes overrides a local administrator's ability to administer their machine?

The Cisco VPN client cannot be employing magic. It's still software running on my computer. What mechanism is it using to interfere with my machine's network? What happens when an IP/ICMP packet arrives on the network? Where in the networking stack is the packet getting eaten?

See also

Edit: Things I've not yet tried:

Update: Since Cisco has abandoned their old client, in favor of AnyConnect (HTTP SSL based VPN), this question, unsolved, can be left as a relic of history.

Going forward, we can try to solve the same problem with their new client.

Ian BoydIan Boyd
13.4k40 gold badges112 silver badges164 bronze badges

10 Answers

The problem with Anyconnect is that it first modifies the routing table, then babysits it and fixes it up should you modify it manually. I found a workaround for this. Works with version 3.1.00495, 3.1.05152, 3.1.05170, and probably anything else in the 3.1 family. May work with other versions, at least similar idea should work assuming the code does not get rewritten. Fortunately for us Cisco has put the babysitter 'baby is awake' call into a shared library. So the idea is that we prevent action by vpnagentd via LD_PRELOAD.

  1. First we create a file hack.c:

  2. Then compile it like this:

  3. Install into the Cisco library path:

  4. Bring down the agent:

  5. Make sure it really is down

    If not, kill -9 just to be sure.

  6. Then fix up /etc/init.d/vpnagentd by adding LD_PRELOAD=/opt/cisco/anyconnect/lib/libhack.sowhere the vpnagentd is being invoked so it looks like this:

  7. Now start the agent:

  8. Fix up iptables, because AnyConnect messes with them:

    You may want to do something more advanced here to allow access only to certain LAN hosts.

  9. Now fix up the routes as you please, for example:

  10. Check to see if they are really there:

A previous, simpler version of this hack gave a function that only did 'return 0;' - that poster noted that 'The only side effect that I've observed so far is that vpnagentd is using 100% of CPU as reported by top, but overall CPU is only 3% user and 20% system, and the system is perfectly responsive. I straced it, it seems to be doing two selects in a loop when idle returning from both quickly, but it never reads or writes - I suppose the call that I cut out with LD_PRELOAD was supposed to read. There might be a cleaner way to do it, but it is good enough for me so far. If somebody has a better solution, please share.'

Cisco Vpn Client 5 Download

The problem with the trivial hack is it caused a single cpu core to be 100% all the time, effectively reducing your hardware cpu thread count by one - whether your vpn connection was active or not. I noticed that the selects the code was doing were on a netlink socket, which sends vpnagentd data when the routing table changes. vpnagentd keeps noticing there's a new message on the netlink socket and calls the routeCallBackHandler to deal with it, but since the trivial hack doesn't clear the new message it just keeps getting called again and again. the new code provided above flushes the netlink data so the endless loop which caused the 100% cpu doesn't happen.


Cisco Easy Vpn Client Download Mac

If something does not work, do gdb -p $(pidof vpnagentd), once attached:

and see which call you are in. Then just guess which one you want to cut out, add it to hack.c and recompile.

Sasha PachevSasha Pachev

This is VERY convoluted, but if you create a minimal VM using VMWare Player or similar, and run the Cisco AnyConnect VPN client in that, it might be possible to set up routing as you want using the VMWare virtual network adapters, or simply use the VM for access to whatever resources are required via the Cisco SSL VPN and 'drag/drop' files to/from your actual machine.

61.5k12 gold badges109 silver badges186 bronze badges

Shrew Soft VPN software did the trick for me, also, as Ian Boyd suggested.

It can import Cisco VPN client profiles. I have used Cisco VPN Client version, and after installing the Shrew VPN (version 2.1.7) and importing Cisco profile, I was able to access local LAN while connected to corporate VPN without any additional configuration of Shrew VPN connection (or software).


Thanks to Sasha Pachev for the nice hack above.

vpnagentd also messes with the resolver by overwriting the changes made to /etc/resolv.conf. I solved it by eventually winning the race against it:

Don't forget to chattr -i /etc/resolv.conf when disconnecting.

I'm trying to solve it by intercepting the callback, like for the routes method above, but can't yet find the corresponding callback or method.

Update1/2: A strace revealed that vpnagentdis using the inotify API to monitor the resolver file changes. From there onwards it was downhill.Here's the additional hack:

That's a little bit overkill, granted, as it disables all file watching for the agent. But seems to work OK.

The vpn client wrapper script below integrates all the functionality(updated to include this additional hack). chattr is no longer used/needed.

Update 3: Fixed username/password settings in the script. It now uses a vpn.conf file with the format described below(and root-only permissions).

Mauro LacyMauro Lacy

My company still uses that vpn.The vpnc client simply changes you iptables settings that way :

It filters all except for the vpn traffic.

Simply get the filter in a file with iptables-save, add INPUT and OUTPOUT access lines that match your needs and reapply the file with iptables-restore.

for instance to access a local network on 192.168.0


Any news on this?

At what level is Cisco VPN client driver doing what in the networking stack that takes overrides a local administrator's ability to administer their machine?

I fully agree and was wondering about the same thing.

Anyway, it's an app that requires admin privileges to install and while it runs it may very well filter what you do...

My attempts on Windows fail too:

Haha. No metric below 20 here it seems.


I don't know if I have understood it right, but I first clarify my understanding:

You have a local LAN (for example, say, and a remote Cisco VPN Server (for example, You want to connect to the VPN server through the Cisco VPN client and yet you need to have the LAN access. In this case you want to separate the whole 10.0.x.x/16 from the VPN connection). The following route must be added in a Mac client:

where en1 is the interface through which you are connected to your LAN. I know you can add the same thing in Windows and Linux as well.

Peter Mortensen
8,55916 gold badges62 silver badges85 bronze badges
Yasser SobhdelYasser Sobhdel

Since I cannot add comments, I'll post here. I'm running on Windows.

The solution using Virtual Machine and run AnyConnect inside the VM and then use VM as a mediator between your working environment and company's network won't work if your 'beloved' IT department routes through VPN thus even your local network (including this between your local PC and VM) is routed through the VPN(sic!).

I tried to apply solution posted by @Sasha Pachev but eventually I ended up patching .dll so that it returns 0 at the beginning of the function. Eventually after some fight with dynamic library, I was able to modify routing tables according to my needs but apparently that's not enough!

Even though my rules seems to be correct to achieve split tunneling, I still get General Failure.Did you come across similar problem as were able to solve it?

  • My gateway to the internet is
  • My gateway to the company's network is (thus whole 10...* subnet I treat as 'comapny's')

This is how my routing table looks like now (after manual modifications while VPN is on)

yet the result of ping are following

Just for the reference, below is how route table looks like when VPN is disconnected (unaltered)

and this is how the table looks like when VPN is connected (unaltered)in that case when I'm trying to ping I simply get timeout (since company's firewall does not allow traffic to go outside the intranet)

1,2876 gold badges13 silver badges19 bronze badges

For those looking to maintain control of their routing table when using a Cisco AnyConnect SSL VPN, check out OpenConnect. It both supports the Cisco AnyConnect SSL VPN and doesn't attempt to disrupt or 'secure' routing table entries. @Vadzim alludes to this in a comment above.

After trying everything but patching the AnyConnect Secure Mobility Client, I was able to successfully replace it on Windows with OpenConnect GUI. This enabled me to maintain connectivity to local resources (and update the routing table).

I use OpenConnect on Windows but it also supports Linux, BSD, and macOS (among other platforms) according to the project page.

Robert MooneyRobert Mooney

Try remove those entries with gateway see if ping works then add them back one by one and identify which one is causing the trouble.

How did you patch the DLL. I can't even modify the routing table because it keeps adding the with VPN gateway back.

Matthew Williams
4,0798 gold badges21 silver badges36 bronze badges

protected by CommunityMar 14 '16 at 12:52

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?

Not the answer you're looking for? Browse other questions tagged cisco-vpn-client or ask your own question.