Access other subnets connected through IPSec tunnels from a VPN client

Unanswered Question
Feb 7th, 2012

At site A, I have a SA520W with site-to-site connections to sites B, C, D and E. From within the office I can ping all of the remote subnets. Using the Cisco VPN client and connecting to the router at site A, I would like to be able to access the subnets from B, C, D and E. Can this be done by adding additional VPN polices for the IPSec client?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
brierleyIT Fri, 02/17/2012 - 08:46

I have tried adding static routes on both the client and router but have not had success. Is this a configuration issue or a device limitation? The dynamically assigned IP addresses on the SA520W under the VPN configuration cannot be associated with a VLAN.

brierleyIT Fri, 02/17/2012 - 11:28

Randy,

Thanks for the response. Here is my configuration in more detail. The remote access VPN policy on the SA520W is using mode config with a range of 192.168.12.100-.254 (Split Tunnel is also enabled).

jasbryan Mon, 02/20/2012 - 09:08

Doug,

Don't think IPSec is going to work for you as you're hoping. You can try SSL/Vpn since SSL vpn we can add client routes for the IPSec vpn connection. This is really what you are needing to do. When the vpn connection connects it's needs to be able add routes to the other subnet's. SSL/Vpn is the only split-tunneling cable of adding route information to remote user connections.

Jasbrayn

brierleyIT Tue, 02/21/2012 - 06:03

Is this a limitation on the SA520W? When I connect with the IPSec client and observe the secured routes I see the local subnet 10.10.0.0 and there is also 192.168.25.0 (this is the default VLAN assigned to the cisco-quest wireless network). How is that route being published to the IPSec client?

rmanthey Tue, 02/21/2012 - 06:56

Hello Doug,

Jason is right SSL VPN will work and has been tested, but I do think IPsec should work as well we have just not tested this function as of yet. What is the tunnel configuration look like for the site to site tunnels?

Do you have one IPSEC policy per IKE tunnel or two?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

brierleyIT Tue, 02/21/2012 - 07:24

Hello Randy,

The site-to-site tunnel A-B has 2 IPSec policies:

1. Local Traffic 10.10.0.0/24 -> Remote Traffic 10.0.0.0/24

2. Local Traffic (from mode config range) 192.168.12.0/24 -> Remote Traffic 10.0.0.0/24

The remote access VPN for site A has 1 IPSec policy:

1. Local Traffic 0.0.0.0 -> Remote Traffic "Any"

Let me know if you would like me to send the config file.

Doug

brierleyIT Tue, 06/26/2012 - 08:58

This is still presently an unresolved issue for me, and I have more time to work on it now. Does anyone have a solution using the IPSec VPN client?

brierleyIT Mon, 07/30/2012 - 13:21

Can hairpinning be configured/enabled on the SA520W to resolve this issue?

brierleyIT Wed, 09/12/2012 - 06:58

Would enabling RIP v2 help out in this scenario to advertise/publish the routes to the other networks through the remote access connection? I also have a layer 3 Cisco SF300-24 switch that sits behind the SA520W.

janickle Mon, 09/17/2012 - 04:22

Hi Doug,

RIP as well as other routing protocols uses multicast traffic to populate its routing table.  Without a GRE tunnel or some type of virtual interface the routing traffic will not cross the IPSec tunnel. 

It looks like it’s been a while since this thread was looked at.  If you would like I would be happy to dive into it a bit deeper to give you a definitive answer on whether or not this can be done on the SA500’s.  I will be out of the office until Friday but I will definitely take a look at it when I get back.

Thank you,

Jason Nickle 

brierleyIT Thu, 09/20/2012 - 05:28

Jason, that would be great if you could take a look at this for me. I look forward to your response.

janickle Mon, 09/24/2012 - 01:48

Hi Doug,

I have been unable thus far to successfully get this working with just the IPSec VPN.  Based on my testing so far I do not see any evidence to believe that this is possible with the SA5XX via IPSec alone.

Jason Nickle

Actions

Login or Register to take actions

This Discussion

Posted February 7, 2012 at 10:19 AM
Stats:
Replies:13 Avg. Rating:
Views:4855 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard