Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two IPSec clients can't connect ot each other. PIX525 and Cisco VPN client

Hi,

My scenario is that I have two VPN clients on the same subnet, without split tunneling, establishing a tunnel on the same DMZ interface of a PIX 525. The fact is that I manage to ping everywhere I want but I cannot ping the tunnel's IP address of the other client!

The reason I need to do that is because I'm trying to establish softphone's voice calls between both clients, but I only wish to allow it to users who are secure, hence the tunnel. The callmanager is on another DMZ and both tunnel IP's are being natted during call setup, which is working. Everything fails when the softphones are "told" to speak to each other, since they cannot communicate. I think that this is due to the fact that by design a stream isn't supposed to go in by the same interface it's gone out. I believe that the point here, besides the voice, that are just extras, is being able to ping the other client tunnel IP address.

Is that possible? how?

Everything works fine when I establish a call between clients connected to different interfaces, and even when I have the same situation ( on other DMZ ) but without IPSec.

Is there any recommended way of dealing with voice traffic with a PIX and IPSEc?

For example not encrypting only the voice packets?

I still haven't faced any performance issues, only a delay when encrypting voice with IPSec.

As I understand If I use split tunneling in order to do that ( the PIX is NOT the default gateway of that network ), my network becomes vulnerable and the voice traffic won't be redirected to the callmager.

Any help would be greatly apreciated

Thanks

Gustavo

2 REPLIES
Cisco Employee

Re: Two IPSec clients can't connect ot each other. PIX525 and Ci

This won't work with a PIX. As you've mentioned, the PIX won't route traffic received on one interface back out that interface, and for two VPN clients to communicate with each other that is what would have to happen. No way around it unless, as you've mentioned, you terminate the VPN clients on different interfaces, but this gets messy.

Split tunnelling won't help in this scenario either, and I don't see how it would help with latency either. And yes, split tunnelling is seen as being less secure than all-tunnelling, since with split tunnelling when the tunnel is up the PC is still contactable via it's physicla address. If someone can take over that PC then they also have full access to your internal network over the VPN.

New Member

Re: Two IPSec clients can't connect ot each other. PIX525 and Ci

Hi,

Does that mean that my hands are tied? I think so :(

My problem is that I have two simulated sites with wireless (one "secure" with LEAP, and other insecure, reason for using IPSec, and that I manage to do calls between them, but the basic functionality of calling between two hosts on the insecure site I can't do.

Has anyone ever encrypted voice with IPSEC and got in trouble? Are there any suggested ways of doing it?

Thanks

519
Views
0
Helpful
2
Replies