Solved: Help with 1921 ISR Easy VPN Remote w/ access to Easy VPN Site to Site

bos3476 · ‎10-31-2010

I have two 1921 ISR routers configured with a site to site Easy VPN. I have configured each ISR's VPN ACLs so that all the private networks at each site can communicate with the other site's private networks. I have one of the 1921 ISRs also configured as an Easy VPN Server.

Problem: when a remote user connects to the Easy VPN Server the user can only access the private networks at the VPN Server site. I have added the IP network which is used for the remote users (i.e. Easy VPN Server IP pool) to each 1921's VPN ACL but the remote user still can not access the other sites private networks over the site to site VPN and vice versa.

Problem: I also have a problem with the Easy VPN Server not placing a static host route in its routing table once it establishes a remote connection to the remote user and provides the remote user with an IP address from the VPN Server IP pool. The VPN Server only performs this task the first time the user connects. If the user disconnects and reconnects the VPN Server router does not put the static host route back in its routing table for the new IP address given on the subsequent connect.

Any help is appreciated.

Thx,

Greg

Federico Coto Fajardo · ‎11-01-2010

Hello Greg,

The ASAs require the ''same-security-traffic permit intra-interface'' to allow hairpinning traffic but the routers allow hairpinning by default (there's no need for an equivalent command).

So, the VPN clients can access LAN A but cannot access the remote LAN B across the Site-to-Site.

You've added the VPN client pool to the ACL for the interesting traffic to the Site-to-Site.

You should also add the remote LAN B to the split-tunneling ACL for the VPN clients (assuming you're using split-tunneling).

In other words, the VPN configuration on router A for the VPN clients should allow the remote LAN B in the traffic allowed for the VPN clients.

You can check the above and do the following test:

1. Try to connect from the VPN client to the remote LAN B.

2. Check the ''sh cry ips sa'' for the VPN client connection and verify if there's an SA being built between the pool and remote LAN B.

Federico.

View solution in original post

Federico Coto Fajardo · ‎10-31-2010

Hi,

If I understand correctly one of your problems is to allow communication of one VPN tunnel through another VPN tunnel.

i.e.

LAN A --- Router A ---- Internet ------ Router B ---- LAN B

------ Router C ---- LAN C

In the above example you want LAN C to access LAN B via the VPN connection that both sites have to Router A?

If the VPN configuration, NAT and routing is correct, then check the IPsec SAs to see if they are establishing.

i.e.

If LAN C can communicate with LAN A, this is because there's an IPsec SA being built between both subnets.

Check on router A with the command ''sh cry ips sa'' if there's an SA being built for traffic from LAN C to LAN B

Federico.

bos3476 · ‎11-01-2010

Thanks Fredrico for your reply.

The topolgy is:

LAN A ----- Router A ------- Internet ------- Router B ----- LAN B (connection between LAN A and LAN B is site to site VPN)

|

Remote User ---------------------- ( remote user accesses LAN A via the VPN Server on Router A)

There is not NATing. Private LAN IP networks do not overlap between sites and remote users. I can not NAT as I am doing SIP VoIP calls between sites.

Problem is that even after adding the Remote User's IP network (which is from an IP pool the router A VPN server uses) to the ACLs of the site to site VPNs, the remote user can still only access LAN A, he can not access LAN B.

This may have something to do with it issue: I have seen that on ASA routers one must issue the command "same-security-traffic permit intra-network" to allow the security traffic entering Router A to exit Router A towards Router B (aka VPN hairpin). I have yet to determine what the comparable command is on an ISR router.

Greg

Federico Coto Fajardo · ‎11-01-2010

Hello Greg,

The ASAs require the ''same-security-traffic permit intra-interface'' to allow hairpinning traffic but the routers allow hairpinning by default (there's no need for an equivalent command).

So, the VPN clients can access LAN A but cannot access the remote LAN B across the Site-to-Site.

You've added the VPN client pool to the ACL for the interesting traffic to the Site-to-Site.

You should also add the remote LAN B to the split-tunneling ACL for the VPN clients (assuming you're using split-tunneling).

In other words, the VPN configuration on router A for the VPN clients should allow the remote LAN B in the traffic allowed for the VPN clients.

You can check the above and do the following test:

1. Try to connect from the VPN client to the remote LAN B.

2. Check the ''sh cry ips sa'' for the VPN client connection and verify if there's an SA being built between the pool and remote LAN B.

Federico.

bos3476 · ‎11-01-2010

Federico,

I added a split tunneling ACL to the VPN Server which included LAN A and LAN B networks. My remote users are now able to access LAN B.

Thx,

Greg

Federico Coto Fajardo · ‎11-01-2010

Greg,

Glad I could help.

Thanks for the rating.

Federico.