Re: Hairpinning / client-to-client VPN traffic on IOS routers?

thiland · ‎11-12-2005

Does anyone know if IOS-based VPN routers are capable of "hairpinning" remote access VPN user traffic using the Cisco VPN Client?

I want to configure connectivity for client-to-client VPN traffic via a dynamic crypto map on the IOS router VPN termination point, however the only docs I've seen are for VPN Concentrators and PIX 7.0.

I'm looking for the IOS-equivalent of this PIX 7.0 feature:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450beb.html#wp1042114

Thanks!

RICHARD MESSINGER · ‎11-13-2005

I am also looking for this capability but more for a remote client VPNing to their "home" branch office and then being able to access resources at the main location hairpinning at the branch. Using IOS-based routes.

aacole · ‎11-14-2005

I've done this on IOS routers, it does work.

In my case I had the IOS routers running the firewall, so had to allow the VPN client pool address range through to each subnet the Client needed access to.

Also on the site2site tunnel crypto ACL's you need to permit the VPN client pool range access to the main location's subnet.

I used static routes pointing back out of the VPN client terminating router to allow access to remote sites.

RICHARD MESSINGER · ‎11-14-2005

Thanks. That was the news I was looking for. Is there the possibility that you could share a sanitized version of your configs?

aacole · ‎11-15-2005

Have a look at the attached file, its allows a VPN client to make a connection to a router, then allows the traffic from the client pool to traverse over the L2L tunnel. As it has an ACL on the Internet side you need to allow the unencrypted networks through this ACL, althhough I have read that later IOS modified this requirement. This was a 12.2 version configuration I think!

The issue I had was allowing the pool address range access to all the required networks via all the ACL's. In this case there are 3, the crypto, the NAT and the one on the outside interface. This router should work with CBAC (firewall) as well one the ACL's are correct.

I dont see why this wouldnt work for Client to Client as well, although I've never tried it, if you do post up your results.

Andy

thiland · ‎11-15-2005

I can see how coming in from a client pool and going out via a GRE tunnel interface would work.

But are you saying that would work on the client-to-client as well?

aacole · ‎11-16-2005

Hi, I didnt use GRE in my case, just IPSec protected networks specified in the ACL's. If I had used GRE it would be easier to set up though.

I've not tried it client-to-client, although if both clients have an open session to the VPN router it may well work. The problem I see with client-to-client is that the session is always opened from the client first.

In the client configuration details the pre-shared key uses a wildcard for the address, the peer is dynamically allocated at connection time. Due to the use of the wildcard address and that there is no configured peer its not possible to make an outgoing connection to the client.

Also the client runs a stateful firewall package bundled into the VPN client. So if you configured the VPN router and client with static IP addresses known in advance (included in the key with a peer statement as well) I'm sure you still would not be able to make a call to the client.

Some experimentation is required here.