ipsec site-to-site VPN and cisco VPN client routing problem

Answered Question

Hello,

I am really stuck with configuring ipsec site-to-site vpn (hub to spoke, multiple spokes) with cisco vpn client remote access to this vpn.

The problem is with remote acces - cisco vpn client acces - I can communicate with hub lan - but I need also communication to all spoke lans from the cisco vpn client.

On the spokes there is no cisco hardware used - there are DLINK routers.

Somebody told me, it is possible to use NAT for translating remote access clients to HUB-lan-IP and so allow communication - but I am unable to configure it and get it working.

Can somebody help me please ?

Thank you

Peter

SPOKES - not cisco devices / another vendor

HUB cisco 1841 hsec:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key x address xx no-xauth

!

crypto isakmp client configuration group x

key x

pool vpnclientpool

acl 190

include-local-lan

!

crypto ipsec security-association lifetime seconds 86400

crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set 1cisco

!

crypto map ETH0 client authentication list userauthen

crypto map ETH0 isakmp authorization list groupauthor

crypto map ETH0 client configuration address respond

crypto map ETH0 1 ipsec-isakmp

set peer x

set transform-set 1cisco

set pfs group2

match address 180

crypto map ETH0 10 ipsec-isakmp dynamic dynmap

!

!

interface FastEthernet0/1

description $ES_WAN$

crypto map ETH0

!

ip local pool vpnclientpool 192.168.200.100 192.168.200.150

!

!

ip nat inside source list LOCAL interface FastEthernet0/1 overload

!

ip access-list extended LOCAL

deny   ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

deny   ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

permit ip 192.168.7.0 0.0.0.255 any

!

access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

!

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 3 months ago

How was the DLINK configured for the traffic between the site-to-site VPN subnets? Are you able to add multiple remote subnets on DLINK? If you can, then you need to add the VPN Client pool subnet.

Alternatively, if you can't add multiple subnet on DLINK router, you can change the VPN Client pool to 192.168.6.0/24, and on the crypto ACL between the site-to-site VPN, you need to change the existing ACL 180

FROM:

access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

TO:

access-list 180 permit ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

Then also change the split tunnel ACL 190:

FROM:

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

TO:

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

Lastly, change the DLINK remote subnet from 192.168.7.0/255.255.255.0 to 192.168.6.0/255.255.254.0.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Mon, 08/16/2010 - 14:46

The crypto ACL both for the site-to-site VPN and split tunnel ACL for the Cisco VPN Client needs to be added with the respective ACL line.

Base on the configuration, I believe you have the following:

Local subnet: 192.168.7.0/24

Remote subnet: 192.168.1.0/24

VPN Client subnet: 192.168.200.0/24

ACL 180 is used for the site-to-site VPN crypto ACL, you would need to add the following:

access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

On the remote DLINK router, you would also need to add the corresponding mirror image ACL:

access-list xxx permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

Then on the split tunnel ACL: 190, you would also need to add the following:

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

Hope that helps.

Hello,

thank you for your help. I have altered the ACLs:

ip access-list extended LOCAL

deny  ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255                 local lan – remote lan A

deny   ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255                 local lan – vpn client

deny ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255                 vpn client – remote lan A

permit ip 192.168.7.0 0.0.0.255 any

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255 local lan – vpn client

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255 remote lan A – vpn client

access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255                 local lan – remote lan A

access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255 v pn client – remote lan A

But I cannot reach the remote lan A from the cisco vpn clients.

The remote lan routers are not cisco devices - they are low end DLINK VPN routers with web gui. I cannot configure the reverse ACL on them. I think thats the problem.

Is it somehow possible to use NAT to translate remote acces vpn clients to local lan IP and so reach the remote lan A ?

Thank you

Correct Answer
Jennifer Halim Tue, 08/17/2010 - 01:29

How was the DLINK configured for the traffic between the site-to-site VPN subnets? Are you able to add multiple remote subnets on DLINK? If you can, then you need to add the VPN Client pool subnet.

Alternatively, if you can't add multiple subnet on DLINK router, you can change the VPN Client pool to 192.168.6.0/24, and on the crypto ACL between the site-to-site VPN, you need to change the existing ACL 180

FROM:

access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

TO:

access-list 180 permit ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

Then also change the split tunnel ACL 190:

FROM:

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

TO:

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

Lastly, change the DLINK remote subnet from 192.168.7.0/255.255.255.0 to 192.168.6.0/255.255.254.0.

Hope that helps.

Actions

This Discussion