Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
634
Views
0
Helpful
4
Replies

VPN Client 4.0 to LAN connection

hsprasetio
Level 1
Level 1

‎10-28-2004 03:31 AM

Hi,

can anyone tell me how to configure a VPN Router (1721) so that the VPN Client Software connecting to that router still can communicate with that VPN Client Local LAN?

PC(VPN Client)---LAN---Router---Internet--VPNRouter

Thank you.

Labels:
0 Helpful
4 Replies 4

ehirsel
Level 6
Level 6

‎10-29-2004 11:11 AM

You need to allow for split-tunneling.

The doc in the URL below gives an example as part of a troubleshooting tip

http://www.cisco.com/warp/public/707/ipsec_debug.html#comrout

The example is replicated here:

crypto isakmp client configuration group hw-client-groupname

key hw-client-password

dns 172.168.0.250 172.168.0.251

wins 172.168.0.252 172.168.0.253

domain cisco.com

pool dynpool

acl 150

!

!

access-list 150 permit ip 172.168.0.128 0.0.0.127 any

ACL 150 defines interesting traffic that should be going across the IPSec tunnel. Traffic that does not match does not flow thru the tunnel. Note that the ACL is defined as being initated from behind the vpn gw. In this case the 172.168.0.128/25 network is behind the vpn gw.

Let's say in your case that the local lan from the vpn client perspective is 10.1.1.0/24 and the lan behind the vpn router (1721) is 10.1.15.0/24. Your acl in the in the client config group parm is named 176. The acl 176 is coded as follows:

access-list 176 permit ip 10.1.15.0/24 10.1.0.0/16

The vpn client will interpet this as follows: send traffic to 10.1.15/24 over the IPSec session and all local lan traffic is accessable and stays unencyrpted. You will need to check the allow local lan access on the vpn client config in addition to make this work.

Let me know if this helps.

0 Helpful

hsprasetio
Level 1
Level 1
In response to ehirsel

‎11-01-2004 12:48 AM

Sir, thank you for your help.

However, another the problem is that some PCs can access the local LAN when they are using VPNClient connecting to the HQ but one PC cannot. Is it related to the split tunneling config in the router? As I concern, according to your sample config, every VPNClient uses the "pool dynpool" for their IP. So then every PC will be having the same configuration, hence they all can do split tunneling. Am I right?

Or would it be possible for the router to find out the PCs' local IP addresses so then PCs that are allowed to do split tunneling and not can be determined?

0 Helpful

sachinraja
Level 9
Level 9
In response to hsprasetio

‎11-01-2004 02:31 AM

Split tunneling is normally group based. The split tunneling is configured on the group menu and applies to the whole group. The IP address assignment is also made group wise. So, if that PC is using the same group as the others, it shouldnt be a problem with split tunneling. it might be a PC related issue. Can you open the VPN client and see the routes that are installed on it ? it will clearly show the IP addresses which will be allowed on the IPSEC tunnel. Do let us know about this..

0 Helpful

hsprasetio
Level 1
Level 1
In response to sachinraja

‎11-02-2004 06:24 AM

I tried to create a simulation on VPN Client but it's also not working. Here is the config:

LAN--(F0)VPN1721(s0)--(s1/0)2611(E0/0)----VPNClient

LAN = 10.10.10.0

VPN1721 (F0) = 10.10.10.1

VPN1721 (s0) = 172.18.124.159

2611 (s1/0) = 172.18.124.160

2611 (e0/0) = 64.102.55.140

VPNClient = 64.102.55.142

VPN1721:

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

!

username cisco password cisco

!

crypto isakmp policy 3

authentication pre-share

group 2

!

crypto isakmp client configuration group 3000client

key cisco123

dns 10.10.10.10

wins 10.10.10.20

domain cisco.com

pool ippool

!

crypto ipsec transform-set myset esp-des

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0

ip address 10.10.10.1 255.255.255.0

!

interface Serial0

ip address 172.18.124.159 255.255.255.0

crypto map clientmap

!

ip local pool ippool 14.1.1.100 14.1.1.200

ip route 64.0.0.0 255.0.0.0 172.18.124.160

!

for the 2611 is just a simple routing configuration.

The VPNClient gives a notice: Remote peer is no longer responding.

the show crypto isakmp sa:

1721#show crypto isakmp sa

dst src state conn-id slot

172.18.124.159 64.102.55.142 MM_NO_STATE 0 0 (deleted)

Could you help me with this please?

Thank you

Hendarto

0 Helpful
Customers Also Viewed These Support Documents