Cisco Support Community
Community Member

Not so private VPN IPSec Lan-to-Lan

Client has a mobile office/RV with public servers which need to be available no matter where in the country they are dispatched. In order to eliminate several issues with DNS and other configurations, the client wants the public IP's of these servers to remain the same. The office only visits major cities, and to keep costs down they will order a land line (most likely DSL) for the months the office will remain in one city.

I thought it would be a simple task to setup up a CVPN3005 concentrator at his corporate office and use CVPN3002 HW Client in the RV. With this setup, the only thing that changes when the RV moves is the client side concentrator IP address.

I believe my major problem with getting this to work centers around the IP Scheme and routing issues. I have been able to get the tunnel up several times, but it only routes one way or the other.

I have two IP ranges available (not actual IP's for security reasons): with a subnet with a subnet

It seemed that the public and private sides of the 3005 wanted to be on different networks. It did not like to subnet part of the private network to the tunnel. (ie: private= with a VPN tunnel to

I am beginning to think that I need THREE networks, one for the Public side of the 3005, one for the Private side of the 3005, and one for the tunneled public addresses at the 3002.

I'm open to other suggestions on how to get this thing working...

Thanks in advance!


Corporate Office with nailed down public IP's.



Public Side

CVPN3005 Concentrator

Private Side



Internet Cloud




Public Side

(Changable IP)

CVPN3002 HW Client

Private Site



(Tunneled from Corp - Public IP's)


In moveable location

Community Member

Re: Not so private VPN IPSec Lan-to-Lan

Well, from my understanding of the question, I guess split tunneling would be the solution. Do you have split tunneling already enabled? I am not able to comprehend the need for a third network. With split tunneling, the tunnel would be initiated only if there is a need to connect to the Corporate network. When users are browsing the Internet the traffic would be normally sent.

Community Member

Re: Not so private VPN IPSec Lan-to-Lan

Were actually trying to tunnel public addresses. Split tunneling is working for standard internet browsing. The corporate office has two sets of subnets from their ISP one network has 254 IP's (/24) the other has 510 IP's (/22). We need to tunnel some of these public addresses to a host that moves frequently - using the tunnel, we eliminate changing many items like DNS, host IP's, etc... if we just have to change the IP's of the VPN connections, things would be easier.

The third network comes into play because the 3002 concentrator did not seem to like the fact that it's public and private interfaces were on the same network. The VPN tunnel does not route if the private interface of the concentrator is on the same network as the destination of the tunnel.

I've been doing some looking and see the articles on overlapping networks, but I don't believe that will work with the 3005 HW client on the other side of the tunnel. I would have to have a 3002 concentrator on each side of the VPN, each doing NAT-IPsec.

I was looking for some other ways this could be done with existing equipment - 3002 concentrator and 3005 HW client.

CreatePlease to create content