Solved: Loopback Interface for Client to Site VPN termination

leon.mflai · ‎07-04-2007

My project involves soho 871 router connecting to headend 3845 router over unencrypted MPLS network for data communication. For Client PC behind 871 router in remote site, they need to enable Cisco VPN client and connect to headend 3845 so that they can access information behind core 6506 switch.

To minimize the setup, I would like to prepare single VPN profile for all remotes. Therefore, I plan use lo0 int for VPN termination. However, I found that when VPN connection is up over the lo0 int, the remote client PC can "ping" lo0 only but cannot "ping" all other IP address. However, when I establish the connection to interface IP address on 3845 router, the connection is all ok.

I attached my config for VPN and the diagram. Can anyone help?

yongl · ‎07-09-2007

Hi there,

You need to change your split-tunnel ACL to:

ip access-list extended FEHD_VPN

remark *** Outbound VPN client traffic ***

permit ip 10.0.0.0 0.255.255.255 10.65.215.0 0.0.0.255

Note: Not sure what is the purpose of 'permit ip host 0.0.0.0 host 0.0.0.0'

View solution in original post

yongl · ‎07-09-2007

Hi there,

You need to change your split-tunnel ACL to:

ip access-list extended FEHD_VPN

remark *** Outbound VPN client traffic ***

permit ip 10.0.0.0 0.255.255.255 10.65.215.0 0.0.0.255

Note: Not sure what is the purpose of 'permit ip host 0.0.0.0 host 0.0.0.0'

leon.mflai · ‎07-12-2007

Hi,

I tried your advice but it still not work. Actually, "permit ip host 0.0.0.0 host 0.0.0.0 ...." is for tunnel-all but even if I removed the "ACL...." in the crypto setup. I inspected the VPN client stats in the Cisco VPN client.

leon.mflai · ‎08-14-2007

Hi,

Your reply stimulated my memory in split tunnel setup.

tks

Leon