Cisco Support Community
Community Member

Route internet traffic via IPSec VPN


I have just configured an IPSEC VPN between our head office and one of our remote offices. The main purpose of this VPN is to route ALL traffic from the remote office via our head office and then on to the internet. This way we can control all traffic originating from the remote office from our firewall in the main office. However, this is only a temporary solution and we will eventually be installing a separate firewall in the remote office.

The problem I’m facing is that I cannot seem to find any information related to our setup. From what I understand IPSEC is mainly used to connect two offices, not used to route all traffic over it. The second problem I’m facing is that at the moment my two offices are using different subnets. At the remote office I have one subnet of and at my main office I use I was hoping to be able to use the same subnet at the remote office as I do in my main office. The reason I want to do this is because I have a “Captive portal” located at my main office. This “Captive portal” will only work in NAT-mode so I would like to use my router at the main office as a DHCP server for both offices.

At the moment my access-lists looks like this;
Main office: permit ip

Remote office: permit ip

I was hoping to change the access-list on the remote office router to;

permit ip

in order to force all traffic over the VPN. Will this work or do I need to match that access-list on router in the main office?

Hopefully this makes sense!



Everyone's tags (5)
Cisco Employee

Re: Route internet traffic via IPSec VPN

You can definitely change the crypto ACL to between subnet specific, to any. However you would need to change the ACL on both end as follows:

Main office: permit  ip any

Remote office: permit ip any

However, you can not have the same local subnet on your main office LAN and your remote office LAN. Each subnet needs to be unique as VPN is L3.

Hope that helps.

Community Member

Re: Route internet traffic via IPSec VPN

Thanks for that!

However it doesn't really solve my issues. I suspected that I would have to change my access-lists on both sides and that's fine but how do I specify that traffic originating from destined for the "internet" does not go towards

Can I use static routes in my main office to tell the router where the packets coming from the VPN should go?

Cisco Employee

Re: Route internet traffic via IPSec VPN

Traffic towards the internet from will not be affected because the crypto ACL is only going towards the subnet. The will be included in the "any" in your crypto ACL. So traffic from towards will be encrypted, and towards the Internet will go out as per normal routing.

CreatePlease to create content