Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access other subnets connected through IPSec tunnels from a VPN client

Unanswered Question
Feb 7th, 2012
User Badges:

At site A, I have a SA520W with site-to-site connections to sites B, C, D and E. From within the office I can ping all of the remote subnets. Using the Cisco VPN client and connecting to the router at site A, I would like to be able to access the subnets from B, C, D and E. Can this be done by adding additional VPN polices for the IPSec client?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
brierleyIT Fri, 02/17/2012 - 08:46
User Badges:

I have tried adding static routes on both the client and router but have not had success. Is this a configuration issue or a device limitation? The dynamically assigned IP addresses on the SA520W under the VPN configuration cannot be associated with a VLAN.

brierleyIT Fri, 02/17/2012 - 11:28
User Badges:


Thanks for the response. Here is my configuration in more detail. The remote access VPN policy on the SA520W is using mode config with a range of (Split Tunnel is also enabled).

jasbryan Mon, 02/20/2012 - 09:08
User Badges:
  • Silver, 250 points or more


Don't think IPSec is going to work for you as you're hoping. You can try SSL/Vpn since SSL vpn we can add client routes for the IPSec vpn connection. This is really what you are needing to do. When the vpn connection connects it's needs to be able add routes to the other subnet's. SSL/Vpn is the only split-tunneling cable of adding route information to remote user connections.


brierleyIT Tue, 02/21/2012 - 06:03
User Badges:

Is this a limitation on the SA520W? When I connect with the IPSec client and observe the secured routes I see the local subnet and there is also (this is the default VLAN assigned to the cisco-quest wireless network). How is that route being published to the IPSec client?

rmanthey Tue, 02/21/2012 - 06:56
User Badges:
  • Bronze, 100 points or more

Hello Doug,

Jason is right SSL VPN will work and has been tested, but I do think IPsec should work as well we have just not tested this function as of yet. What is the tunnel configuration look like for the site to site tunnels?

Do you have one IPSEC policy per IKE tunnel or two?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

brierleyIT Tue, 02/21/2012 - 07:24
User Badges:

Hello Randy,

The site-to-site tunnel A-B has 2 IPSec policies:

1. Local Traffic -> Remote Traffic

2. Local Traffic (from mode config range) -> Remote Traffic

The remote access VPN for site A has 1 IPSec policy:

1. Local Traffic -> Remote Traffic "Any"

Let me know if you would like me to send the config file.


brierleyIT Tue, 06/26/2012 - 08:58
User Badges:

This is still presently an unresolved issue for me, and I have more time to work on it now. Does anyone have a solution using the IPSec VPN client?

brierleyIT Mon, 07/30/2012 - 13:21
User Badges:

Can hairpinning be configured/enabled on the SA520W to resolve this issue?

brierleyIT Wed, 09/12/2012 - 06:58
User Badges:

Would enabling RIP v2 help out in this scenario to advertise/publish the routes to the other networks through the remote access connection? I also have a layer 3 Cisco SF300-24 switch that sits behind the SA520W.

janickle Mon, 09/17/2012 - 04:22
User Badges:
  • Bronze, 100 points or more

Hi Doug,

RIP as well as other routing protocols uses multicast traffic to populate its routing table.  Without a GRE tunnel or some type of virtual interface the routing traffic will not cross the IPSec tunnel. 

It looks like it’s been a while since this thread was looked at.  If you would like I would be happy to dive into it a bit deeper to give you a definitive answer on whether or not this can be done on the SA500’s.  I will be out of the office until Friday but I will definitely take a look at it when I get back.

Thank you,

Jason Nickle 

brierleyIT Thu, 09/20/2012 - 05:28
User Badges:

Jason, that would be great if you could take a look at this for me. I look forward to your response.

janickle Mon, 09/24/2012 - 01:48
User Badges:
  • Bronze, 100 points or more

Hi Doug,

I have been unable thus far to successfully get this working with just the IPSec VPN.  Based on my testing so far I do not see any evidence to believe that this is possible with the SA5XX via IPSec alone.

Jason Nickle


This Discussion