Client to gateway VPN tunnel cannot access all subnets

c.r.pearce · ‎05-02-2016

My company has two locations connected via a site to site VPN tunnel (IKE with preshared key). Site A is on 192.168.84.0/24 and Site B is on 192.168.85.0/24. Both sites use Cisco RV325 routers. Internal users are able to access resources located at either site.

Next, I created IPSec client to gateway VPN tunnels on each of the routers. I am able to establish VPN connections to both sites and access the internal network via IP addresses and hostnames.

The problem I am having is that I cannot successfully access both sides of the network when connected. For example, if I connect to Site A (192.168.84.0/24), I can only communicate with devices on that subnet (i.e., 192.168.84.XXX). I cannot access anything on Site B's subnet (192.168.85.0/24). Ping attempts to hostnames and IP addresses at Site B fail entirely. Alternatively, if I connect to Site B, I can access its subnet, but I can't communicate with anything on Site A's subnet.

I have tested a myriad of access rules and static routes to try and negotiate traffic between the two subnets, but nothing has seemed to work. If necessary, both RV325 routers are running firmware v1.1.1.06. Any assistance provided will be greatly appreciated.

Thank you and take care.

Richard Bradfield · ‎05-03-2016

From one RV325 have you done a ping to the other RV325 using diagnostic tools.

lets assume the RV325 addresess are .1

so from say the 192.168.84.1 RV325 can you ping 192.168.85.1?

if yes can you ping any other device on the 192.168.85.xx network, if no is the gateway setup correctly on the 192.168.85. xx DHCP settings?

HTH

Richard

c.r.pearce · ‎05-04-2016

I appreciate the response, Richard.

Continuing along with your example, yes, those pings are successful. I can log in to one RV325 (192.168.84.1) and ping the other router (192.168.85.1) as well as other active devices on that subnet using the diagnostic tool. This works from the other router, too. It is likely facilitated by the site to site VPN tunnel.

This is probably something small and simple, but I've stared at the configurations so much now that the solution is not popping out at me.

sagi.geva · ‎07-23-2016

Were you able to resolve this issue? I have a similar problem with my setup.

I have a site-to-site (gateway-to-gateway) vpn setup and can access all resources locally.

I also setup a client to site on 1 router. When connecting from the client I am able to access all resources on site A (the site I'm connected to) but can't access any on site B through the gateway-to-gateway setup

I'm wondering if I need to add anything to the routing table or check some box somewhere to make it work...

My client VPN is setup in FullTunnel mode so I figured all packets will routed through the VPN correctly... any help is appreciated...

c.r.pearce · ‎07-24-2016

I have not been able to resolve this yet. I, too, have assumed that something would need to be added to the routing table. However, I also assumed that the site-to-site VPN tunnel would facilitate traffic between the two subnets automatically for external VPN users.

Unfortunately, other priorities have gotten in the way of me fixing this issue. As I said in an earlier post, it is likely something simple that I continue to overlook. Hopefully being away from this project for three months will provide me with a fresh set of eyes to tackle it when I have time in the coming weeks.

- Chris

dks.itservices · ‎08-30-2016

Good Morning c.r.pearce

I am too using a Cisco RV325 router. I just created a client to gateway EasyVPN connection and was able to establish a VPN connection via Cisco VPN Client.

In your post you said "I am able to establish VPN connections to both sites and access the internal network via IP addresses and hostnames."

Can you outline exactly how you configured your router and clients to achieve this? Thank you in advance.

c.r.pearce · ‎10-11-2016

dks.itservices,

Each router has a group VPN (IPSec) set up. On the client side, though, I've been forced to create two VPN connections, one for each router. In my head, though, I should only have to create a connection to one of the routers and, once connected, be able to browse both subnets.

I'm just now getting back into this, so my hope is to have a solution soon. Any assistance you can provide would be helpful.

- Chris

Georg Pauwen · ‎09-05-2016

Hello,

what does the access list that is applied in your crypto map look like ? It is probably easier if you post the configurations of both RV325 routers, since you can successfully access the other site, but not local clients, my guess is that there is a problem with the configuration of the crypto map(s).