Routing to subnet behind a WinXP VPN client.

Unanswered Question
Jan 20th, 2008
User Badges:

Hi,


I have the following topology.


(PC)LAN--->GenericRouter-- Internet-->Ent.Network

<------------- VPN-------------------------->



A PC on my LAN has a VPN client and

connects to the Ent.Network (Using a 2811 as a VPN gateway)


The client has Local LAN Access.




My IP Addresses are


Enterprise Network : 10.1.1.0/24

PC VPN : 10.1.1.200

PC Lan : 172.16.1.100




On my PC (running WinXP with IPForwarding Enabled) I get a VPN IP address, and have a local LAN IP address.


From the Ent.Network, I can Ping the VPN Client IP address. (As expected)



Now, I want to be able to ping the Local LAN address from the Ent.Network.


Eg, ping 172.16.1.100 from 10.1.1.xxx



I have setup a static route to the remote network, via the VPN client IP address.


ip route 172.16.1.100 255.255.255.255 10.1.1.200


The route for the VPN client is injected via RRI.




I have also added the subnet to the routemap on the 2811 so that it does not get natted.


But I cant ping from the ent. network to the LAN behind the VPN.


A traceroute to 172.16.1.100 from the router (using the source address of the lan) shows no address in the output (just * * * *).


A show ip route 172.16.1.100 shows

via 10.1.1.200




Any ideas on where I should start looking for problems ?

Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
JORGE RODRIGUEZ Sun, 01/20/2008 - 13:58
User Badges:
  • Green, 3000 points or more

Shahed, this is what I think, I believe you will not be able to connect to the local machine IP simply becuse 172.16.1.100 is not part of that tunnel, you are VPNing to the Enterprice network and LAN_PC 172.16.1.100 receives DHCP IP of 10.1.1.200 from Enterprice VPN gateway which is the NATed address for 172.16.1.100, so if you want to PING 172.16.1.100 you will do it through its NAT address which is 10.1.1.200 and stablished in that vpn tunnel, and this you have indicated a successfull PING. I can only see this feasable if you had a Lan-to-LAN VPN tunnel from (PC)LAN--->GenericRouter to VPN gateway at 2811.Ent.Network with no NAT thus 172.16.1.100 will be part of the tunnel.



Rgds

Jorge


shahedvoicerite Sun, 01/20/2008 - 14:18
User Badges:

Hi Jorge,


Yes, what I am trying to establish, is essentially the capability of a site-to-site VPN, using a VPN client !


So I believe what you are saying is that, it is not possible at all :-(


Is it at all possible to create a site-to-site VPN using a software client at one end and a 2811 at the other ?


Or will I have to purchase a router ?


Thanks !!

JORGE RODRIGUEZ Sun, 01/20/2008 - 14:49
User Badges:
  • Green, 3000 points or more

For Lan-to-LAN you will need a router of firewall as a Ipsec termination point, Lan-to-LAN is not possible with vpn client you need a device that terminates a Ipsec VPN tunnel and vpn clients alone does not do that. Look into 800 series routers if this is for a small SOHO network, or even a 2801 with security 56/3DES IOS, I highly recommend ASA5505 with security pluslisence, ASA5505 basic lisence allows for up to 10 lan-to-lan vpn sessions and ranges between $350-450 depending where you buy it from , Security plus lisence add another $400 to $500. But with routers you do not have to deal much with lisencing other than optaining the right IOS code.


ASA models

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html


If you decide on a router post model recommendations on WAN routing and swithing forum, you'll get good recommendations, but as I said any router with right code you can do LAN-to-LAN.



Rgds

Jorge


srue Sun, 01/20/2008 - 15:10
User Badges:
  • Blue, 1500 points or more

makesure network extension mode (nem) is enabled on your vpn setup at the terminating device.

nem emulates a L2L connection over a vpn client configuration scenario.


otherwise, the asa 5505 is probably your best bet, but you can also find the EOL cisco vpn 3002 on ebay pretty cheap. it's a hardware device, that acts like the software vpn client. but it will do network extension mode (NEM) which is the feature you're after.

shahedvoicerite Sun, 01/20/2008 - 15:16
User Badges:

HI, I am not sure what the NME mode is (will look it up), but dont you think the 851 would also work for me ?


The 5505 and 3002 are still pretty expensive when compared to an 851.


Thanks

Shahed

srue Sun, 01/20/2008 - 20:06
User Badges:
  • Blue, 1500 points or more

5505's can cost under $400 USD, for the base license (10 user). i'm not sure about the 851. as long as it support ipsec though, you should be ok.

Actions

This Discussion