L2L VPN & Default Gateway for Users

Unanswered Question
Apr 14th, 2010


I have a layer 3 switch with several vlans.

On vlan 5 ( there is a router that has ipsec l2l with a remote site.

The problem is that, my users, have as default gateway the interface vlan 5 ip address ( so the cannot access the remote sites through the ipsec router.

If i change the default gateway to the router's internal if ( everything is working as expected.

Is there a way to trick this so the users wont have to change their default gw ?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Collin Clark Wed, 04/14/2010 - 07:48

Sounds like this could be a routing issue. What does your routing table look like on your L3 switch?

trustcisco Wed, 04/14/2010 - 08:07

There is a default route pointing to my asa firewall.

I have also inserted a route for the remote site to point to the ipsec router


where is the lan subnet of my remote site and the ipsec router.

Collin Clark Wed, 04/14/2010 - 08:12

From a user if you traceroute to the remote VPN subnet, where does it stop? Are your users in the same vlan as your IPSec router and your ASA?

trustcisco Wed, 04/14/2010 - 09:12

Yes my users and the ipsec router are on the same vlan.

traceroute to (remote lan)

1 -> (ipsec router)

and then i get a destination unreachable..although my vpn tunnel is up and running...

From the other site, i can ping (ipsec router's internal if) but not any other host on

Thanks for your help.

Collin Clark Wed, 04/14/2010 - 09:20

Can any users that are connected to your switch, but not in the same subnet as the IPSec router and the ASA get across the VPN tunnel?

trustcisco Wed, 04/14/2010 - 11:44

The ASA is connected to the L3 Switch through a routed port.

At the moment the crypto access list permits pc's that are on the same vlan with the ipsec router. So unfortunately i can't test your scenario.

Collin Clark Wed, 04/14/2010 - 11:58

Does your ASA have a route for the remote VPN subnet pointing to the router? What do the logs on the router say when you try and go across the tunnel?

trustcisco Wed, 04/14/2010 - 12:52

Yes it does, i can see matches in my crypto access list but still no connectivity...

Collin Clark Wed, 04/14/2010 - 14:30

Do you have an ACL on the inside interface of the ASA? Can you also put together a simple diagram?

droeun141 Wed, 04/14/2010 - 19:46

When users choose the VPN router as their default GW the connection works, so I don't think the ASA is involved.  Is the inside or outside interface of the VPN router? or does it only have 1?

trustcisco Thu, 04/15/2010 - 00:49




|LAYER 3 SWITCH|  ------- (internal if - ip address Router Part of Vlan5 (ext if  = vpn tunnel = Remote Router.


   |        |                 |

vlan3 vlan4        vlan5(

Users on vlan 5 have as default gw the If i change the default gw to my ipsec router's internal ip i have connectivity.

On my layer 3 Switch i have an ip route command like ip route where is the remote router's lan.

The ipsec router has 2 interfaces as shown above.

trustcisco Thu, 04/15/2010 - 01:18

ok, i have some new feedback on this.

When the users change their default gateway to (ipsec router's internal if) i have connectivity but only from the remote site.

Meaning,users on the remote lan can access user pc's on but not vice versa.

It seems that even changing the default gateway for my users to they cannot access

ozzyosbu1 Thu, 04/15/2010 - 03:21

Seems like some ACL in the ASA is blocking the traffic

Could you please share the routing table of the gateway routers at both sites.

trustcisco Thu, 04/15/2010 - 13:35

It seems that there is a problem with my ISP an their ability to route 3G Traffic.

Thank you all for you help.


This Discussion