Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access other subnets connected through IPSec tunnels from a VPN client

At site A, I have a SA520W with site-to-site connections to sites B, C, D and E. From within the office I can ping all of the remote subnets. Using the Cisco VPN client and connecting to the router at site A, I would like to be able to access the subnets from B, C, D and E. Can this be done by adding additional VPN polices for the IPSec client?

13 REPLIES
New Member

Access other subnets connected through IPSec tunnels from a VPN

I have tried adding static routes on both the client and router but have not had success. Is this a configuration issue or a device limitation? The dynamically assigned IP addresses on the SA520W under the VPN configuration cannot be associated with a VLAN.

Bronze

Access other subnets connected through IPSec tunnels from a VPN

New Member

Re: Access other subnets connected through IPSec tunnels from a

Randy,

Thanks for the response. Here is my configuration in more detail. The remote access VPN policy on the SA520W is using mode config with a range of 192.168.12.100-.254 (Split Tunnel is also enabled).

Silver

Re: Access other subnets connected through IPSec tunnels from a

Doug,

Don't think IPSec is going to work for you as you're hoping. You can try SSL/Vpn since SSL vpn we can add client routes for the IPSec vpn connection. This is really what you are needing to do. When the vpn connection connects it's needs to be able add routes to the other subnet's. SSL/Vpn is the only split-tunneling cable of adding route information to remote user connections.

Jasbrayn

New Member

Re: Access other subnets connected through IPSec tunnels from a

Is this a limitation on the SA520W? When I connect with the IPSec client and observe the secured routes I see the local subnet 10.10.0.0 and there is also 192.168.25.0 (this is the default VLAN assigned to the cisco-quest wireless network). How is that route being published to the IPSec client?

Bronze

Re: Access other subnets connected through IPSec tunnels from a

Hello Doug,

Jason is right SSL VPN will work and has been tested, but I do think IPsec should work as well we have just not tested this function as of yet. What is the tunnel configuration look like for the site to site tunnels?

Do you have one IPSEC policy per IKE tunnel or two?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

New Member

Re: Access other subnets connected through IPSec tunnels from a

Hello Randy,

The site-to-site tunnel A-B has 2 IPSec policies:

1. Local Traffic 10.10.0.0/24 -> Remote Traffic 10.0.0.0/24

2. Local Traffic (from mode config range) 192.168.12.0/24 -> Remote Traffic 10.0.0.0/24

The remote access VPN for site A has 1 IPSec policy:

1. Local Traffic 0.0.0.0 -> Remote Traffic "Any"

Let me know if you would like me to send the config file.

Doug

New Member

Access other subnets connected through IPSec tunnels from a VPN

This is still presently an unresolved issue for me, and I have more time to work on it now. Does anyone have a solution using the IPSec VPN client?

New Member

Access other subnets connected through IPSec tunnels from a VPN

Can hairpinning be configured/enabled on the SA520W to resolve this issue?

New Member

Access other subnets connected through IPSec tunnels from a VPN

Would enabling RIP v2 help out in this scenario to advertise/publish the routes to the other networks through the remote access connection? I also have a layer 3 Cisco SF300-24 switch that sits behind the SA520W.

New Member

Access other subnets connected through IPSec tunnels from a VPN

Hi Doug,

RIP as well as other routing protocols uses multicast traffic to populate its routing table.  Without a GRE tunnel or some type of virtual interface the routing traffic will not cross the IPSec tunnel. 

It looks like it’s been a while since this thread was looked at.  If you would like I would be happy to dive into it a bit deeper to give you a definitive answer on whether or not this can be done on the SA500’s.  I will be out of the office until Friday but I will definitely take a look at it when I get back.

Thank you,

Jason Nickle 

New Member

Access other subnets connected through IPSec tunnels from a VPN

Jason, that would be great if you could take a look at this for me. I look forward to your response.

New Member

Re: Access other subnets connected through IPSec tunnels from a

Hi Doug,

I have been unable thus far to successfully get this working with just the IPSec VPN.  Based on my testing so far I do not see any evidence to believe that this is possible with the SA5XX via IPSec alone.

Jason Nickle

5475
Views
0
Helpful
13
Replies