IPsec Between Two Routers and a Cisco VPN Client

Petar Milanov · ‎12-02-2010

Hi all,

I have this situation

The configuration of it is explained in this document

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

But that what I am trying to do is to access 10.10.20.0/24 network from the Cisco VPN Client user. I have tryed many configuration options but i have still no success.

Is that even possible?

Because when you create a site-to-site VPN tunnel you configure an access list for the encrypted traffic. For this situation there is an access-list on Cisco 2611:

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

and for Cisco 3640:

access-list 100 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

So how then the traffic comming from Cisco VPN


 client will be encrypted and sended over the site-to-site tunnel?

Any ideas and answers are highly appreciated !

Thank you!

rahgovin · ‎12-02-2010

First make sure that 10.10.20.x subnet is part of split tunnel policy if you are using split tunnnel.

What subnet does the Vpn client pool lie in? 10.10.10.x subnet?or is it different subnet?

If it is in a different subnet you will need to add that subnet to the interesting traffic on both routers accordingly.

If it is the same subnet , you need to u-turn the traffic to the outside interface. For that you can use route-maps to route traffic to a loopback ( having a nat inside) and then exempt that traffic from being natted when it goes out through the outside interface. This will basically mean the traffic from vpn client wil be like any other traffic from the 10.10.10.x subnet.

Petar Milanov · ‎12-02-2010

Hi, thank you very much for your answer!

I have no control over the second router (the one that is at down side on the picture), and that is why I need to configure the VPN client pool to be from 10.10.10.x network. What does it mean

"you need to u-turn the traffic to the outside interface. For that you can use route-maps to route traffic to a loopback ( having a nat inside) and then exempt that traffic from being natted when it goes out through the outside interface. "

Can you give an example config?

Thanks !

Petar Milanov · ‎12-03-2010

Hi rahgovin,

I have tried with the loopback interface as you suggested.

I have configured a loopback as below:

int loopback 1

ip address 192.168.140.1 255.255.255.0

ip nat inside

ip virtual-reassembly

Then I configured a route-map pointing to the loopback 1 as next-hop:

route-map vpn-client pemit 10

match ip address 195

set ip next-hop 192.168.140.1

access-list 195 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

After I attached the PBR to the interface:

int fa 1

ip policy route-map vpn-client

ip nat outside

ip nat inside source list 101 interface fa 1 overload

access-list 101 permit ip 172.16.0.0 0.0.0.255 any (this is another network that has to be natted to have an internet access)

I think that I do not have to include 10.10.10.0/24 network in the access-list 101, because we do not need to NAT this traffic but just to pass it to interface fa 1 again right ?

What i noticed is that the VPN Client from 10.10.10.x pool are forwarded to the loopback 1 interface from route-map vpn-clients, but after that the traffic is not forwarded to interface fa 1 again. It just stays in loopback 1 interface.

Where am i wrong ?

Petar Milanov · ‎12-05-2010

Just to close this case, I make it work other way. Because I have two internet facing ports to two different ISPs, I have configured the VPN clients to connect via one ISP and Site-to-Site VPN to be established over the other ISP.

Anyway thanks for your reply!