Enabling VPN-connected Laptops to access WLAN Subnet

emmanuel_s · ‎04-28-2008

My set-up looks like this:

VPN-client host-->WLAN Subnet-->AccessPt1242AG-->Cisco871 Router-->Internet-->VPN server

I was able to connect to other wireless devices within my WLAN when I am not connected

to the VPN server. Whenever a host w/in WLAN connects to the Nortel VPN server in our HQ through Internet using Nortel Contivity Client Software, it can successfully connect to the VPN server and access remote devices.

My issue is that I want these VPN-connected hosts to still access devices in my WLAN. How can I modify my network to allow this service?

-If I need to add a static route on my local router-Cisco871 and on the remote VPN server,

what are the specific static routes to be used?

Thanks in advance!

andrew.prince · ‎04-29-2008

You have to amend the encryption domains for the VPN client users. You must "remove" or "allow local LAN" access to your local subnet from the VPN Client Encryption domain.

i.e if they connect onto the VPN and the encryption domain is 10.0.0.0/8 then ALL 10.0.0.0/8 traffic will be encrypted, anything else will leave the client locally.

HTH.

emmanuel_s · ‎04-29-2008

First of all thanks Andrew for your reply. What do you mean by 'VPN client encryption domain'? Since this is a client-to-site setup.

Do I have to request to change the policy in VPN server...i.e., to allow local LAN access to the local subnet?

in your example, is 10.0.0.0/8 is the virtual IP? Thanks for clarification.

brgds,

emman

andrew.prince · ‎04-29-2008

Emman,

Encryption Domain is the IP Subnet range that will be encrypted. i.e if a user is connected to your wlan and you give a DHCP address of 192.168.1.x/24. When a client connects to the central VPN they will get a local virtual VPN ip address say 10.254.254.x/24. IF the enryption domain for the VPN client is 10.254.254.x then only that traffic is encrypted. If the client sends traffic to the 192.168.1.x it will NOT be encrypted. But if the VPN encryption domain is 10.x.x.x then ALL traffic for 10/8 will be encrypted.

In your case I can think of 2 reasons why the VPN clients cannot use your local services:-

1) Your WLAN subnet is in the encryption domain for the VPN Clients.

2) The VPN encryption domain is 0.0.0.0 - which means is ALL gets encrypted.

I would check the the network manager for the VPN Server to see what can be done to allow "local" browsing.

HTH.

emmanuel_s · ‎04-29-2008

hi Andrew,

the IP for WLAN subnet or encryption domain as you say (116.x.x.x/24) is different from local virtual VPN IP (153.x.x.x/24). In this case, I will work on this with the network manager of VPN Server so we can still access local WLAN subnet with VPN client connected to central VPN. I will update this post on the progress. Many Thanks!!!