ipsec site-to-site VPN and cisco VPN client routing problem

Answered Question

Hello,


I am really stuck with configuring ipsec site-to-site vpn (hub to spoke, multiple spokes) with cisco vpn client remote access to this vpn.


The problem is with remote acces - cisco vpn client acces - I can communicate with hub lan - but I need also communication to all spoke lans from the cisco vpn client.


On the spokes there is no cisco hardware used - there are DLINK routers.


Somebody told me, it is possible to use NAT for translating remote access clients to HUB-lan-IP and so allow communication - but I am unable to configure it and get it working.


Can somebody help me please ?


Thank you


Peter





SPOKES - not cisco devices / another vendor


HUB cisco 1841 hsec:



crypto isakmp policy 1


encr 3des


authentication pre-share


group 2


crypto isakmp key x address xx no-xauth


!


crypto isakmp client configuration group x


key x


pool vpnclientpool


acl 190


include-local-lan


!


crypto ipsec security-association lifetime seconds 86400


crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac


!


crypto dynamic-map dynmap 10


set transform-set 1cisco


!


crypto map ETH0 client authentication list userauthen


crypto map ETH0 isakmp authorization list groupauthor


crypto map ETH0 client configuration address respond


crypto map ETH0 1 ipsec-isakmp


set peer x


set transform-set 1cisco


set pfs group2


match address 180


crypto map ETH0 10 ipsec-isakmp dynamic dynmap


!


!


interface FastEthernet0/1


description $ES_WAN$


crypto map ETH0


!


ip local pool vpnclientpool 192.168.200.100 192.168.200.150


!


!


ip nat inside source list LOCAL interface FastEthernet0/1 overload


!


ip access-list extended LOCAL


deny   ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255


deny   ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255


permit ip 192.168.7.0 0.0.0.255 any


!


access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255


access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255


!

Correct Answer by Jennifer Halim about 6 years 9 months ago

How was the DLINK configured for the traffic between the site-to-site VPN subnets? Are you able to add multiple remote subnets on DLINK? If you can, then you need to add the VPN Client pool subnet.


Alternatively, if you can't add multiple subnet on DLINK router, you can change the VPN Client pool to 192.168.6.0/24, and on the crypto ACL between the site-to-site VPN, you need to change the existing ACL 180

FROM:

access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

TO:

access-list 180 permit ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255


Then also change the split tunnel ACL 190:

FROM:

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

TO:

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255


Lastly, change the DLINK remote subnet from 192.168.7.0/255.255.255.0 to 192.168.6.0/255.255.254.0.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Mon, 08/16/2010 - 14:46
User Badges:
  • Cisco Employee,

The crypto ACL both for the site-to-site VPN and split tunnel ACL for the Cisco VPN Client needs to be added with the respective ACL line.


Base on the configuration, I believe you have the following:

Local subnet: 192.168.7.0/24

Remote subnet: 192.168.1.0/24

VPN Client subnet: 192.168.200.0/24


ACL 180 is used for the site-to-site VPN crypto ACL, you would need to add the following:

access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255


On the remote DLINK router, you would also need to add the corresponding mirror image ACL:

access-list xxx permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255


Then on the split tunnel ACL: 190, you would also need to add the following:

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255


Hope that helps.

Hello,

thank you for your help. I have altered the ACLs:



ip access-list extended LOCAL

deny  ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255                 local lan – remote lan A

deny   ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255                 local lan – vpn client

deny ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255                 vpn client – remote lan A

permit ip 192.168.7.0 0.0.0.255 any

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255 local lan – vpn client

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255 remote lan A – vpn client

access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255                 local lan – remote lan A

access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255 v pn client – remote lan A


But I cannot reach the remote lan A from the cisco vpn clients.


The remote lan routers are not cisco devices - they are low end DLINK VPN routers with web gui. I cannot configure the reverse ACL on them. I think thats the problem.


Is it somehow possible to use NAT to translate remote acces vpn clients to local lan IP and so reach the remote lan A ?


Thank you

Correct Answer
Jennifer Halim Tue, 08/17/2010 - 01:29
User Badges:
  • Cisco Employee,

How was the DLINK configured for the traffic between the site-to-site VPN subnets? Are you able to add multiple remote subnets on DLINK? If you can, then you need to add the VPN Client pool subnet.


Alternatively, if you can't add multiple subnet on DLINK router, you can change the VPN Client pool to 192.168.6.0/24, and on the crypto ACL between the site-to-site VPN, you need to change the existing ACL 180

FROM:

access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

TO:

access-list 180 permit ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255


Then also change the split tunnel ACL 190:

FROM:

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

TO:

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255


Lastly, change the DLINK remote subnet from 192.168.7.0/255.255.255.0 to 192.168.6.0/255.255.254.0.


Hope that helps.

Actions

This Discussion