Loopback Interface for Client to Site VPN termination

Answered Question
Jul 4th, 2007

My project involves soho 871 router connecting to headend 3845 router over unencrypted MPLS network for data communication. For Client PC behind 871 router in remote site, they need to enable Cisco VPN client and connect to headend 3845 so that they can access information behind core 6506 switch.

To minimize the setup, I would like to prepare single VPN profile for all remotes. Therefore, I plan use lo0 int for VPN termination. However, I found that when VPN connection is up over the lo0 int, the remote client PC can "ping" lo0 only but cannot "ping" all other IP address. However, when I establish the connection to interface IP address on 3845 router, the connection is all ok.

I attached my config for VPN and the diagram. Can anyone help?

I have this problem too.
0 votes
Correct Answer by yongl about 9 years 5 months ago

Hi there,

You need to change your split-tunnel ACL to:

ip access-list extended FEHD_VPN

remark *** Outbound VPN client traffic ***

permit ip 10.0.0.0 0.255.255.255 10.65.215.0 0.0.0.255

Note: Not sure what is the purpose of 'permit ip host 0.0.0.0 host 0.0.0.0'

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
yongl Mon, 07/09/2007 - 05:30

Hi there,

You need to change your split-tunnel ACL to:

ip access-list extended FEHD_VPN

remark *** Outbound VPN client traffic ***

permit ip 10.0.0.0 0.255.255.255 10.65.215.0 0.0.0.255

Note: Not sure what is the purpose of 'permit ip host 0.0.0.0 host 0.0.0.0'

leon.mflai Thu, 07/12/2007 - 06:04

Hi,

I tried your advice but it still not work. Actually, "permit ip host 0.0.0.0 host 0.0.0.0 ...." is for tunnel-all but even if I removed the "ACL...." in the crypto setup. I inspected the VPN client stats in the Cisco VPN client.

leon.mflai Tue, 08/14/2007 - 09:11

Hi,

Your reply stimulated my memory in split tunnel setup.

tks

Leon

Actions

This Discussion