cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
310
Views
0
Helpful
2
Replies
Highlighted
Beginner

Exclude host from Ipsec tunnel

Hi,

we use a Cisco 800 router to connect our branch office with the HQ.

The internet connection is over an isp router established. On the cisco router we have two Vlan Interfaces VL1 with 192.168.1.1/24 there are all clients inside.

The VL2 with 10.10.1.1/24 is the ISP network with the modem inside.

On the cisco we use the "crypto ipsec client ezvpn client" so all traffic is going over the tunnel. The default route is 0.0.0.0 0.0.0.0 10.10.1.2. <-- modem

 

I will join to the VL2 network and connect to the ISP modem in that network.

Is that possible?

 

Cando

Everyone's tags (1)
2 REPLIES 2
Highlighted
VIP Mentor

Re: Exclude host from Ipsec tunnel

 VL2 network and connect to the ISP modem in that network.

 

VL2 (Means VLAN2 ? what is that IP range), route is Fine, in the VPN you can only add intrested traffic to encrypt rest will take part of Default route to ISP internet.

 

 

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: Exclude host from Ipsec tunnel

HI BB,

 

correct the VL2 means VLAN2. On the interfaces like FE1 is VLAN1 and on FE2 VLAN2 that is the transfer network 10.10.1.0/24 with the isp modem 10.10.1.2 inside. I can ping 10.10.1.1 but not the 10.10.1.2 isp modem.

 

Here the config:

 

ip source-route

 

crypto ipsec client ezvpn client
connect auto
group branch-office key 6 xxxxxxxx
mode network-extension
peer 1.2.3.4 default
xauth userid mode interactive

 

interface FastEthernet1
spanning-tree portfast

 

interface FastEthernet2
switchport access vlan 2

 

interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip virtual-reassembly
no ip route-cache cef
ip tcp adjust-mss 1432
crypto ipsec client ezvpn client inside
!
interface Vlan2
ip address 10.10.1.1 255.255.255.252
ip mtu 1472
ip flow ingress
ip virtual-reassembly
!

no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.1.2
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!

ip access-list extended ACL-VPN
permit ip 192.168.0.0 0.0.255.255 192.168.1.0 0.0.0.255
!

logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark ACL-VPN Category=2
access-list 1 permit 192.168.1.0 0.0.0.255