Solved: VPN problem - PC (vpn client) -> router -> (site to site vpn) -> local lan

Matej G · ‎05-19-2011

Hi,

is this setup possible?

I have a pc and I would like to connect to remote lan.

PC (using vpn client) ---------vpn(internet)-------> ROUTER1 ----------site to site vpn(MPLS network)-----------> ROUTER2 ----------> SERVER

How can I connect to remote server? Is there an easy way?

I did the configuration for vpn client (I can connect to router1 and access local lan via vpn with 192.168.1.x), but I cant connect to server, although I put subnet (192.168.1.x) under access list for site to site vpn (access list for traffic that should pass between router1 and router2).

Please advise! Thanks in advance.

Yudong Wu · ‎05-19-2011

It looks like I did not explain it well.

On router1

===================

1. ACL VNC_acl is used for split-tunnel, so you should include server_NET IP there NOT vpn pool IP.

2. ACL najavorbel is used for defining the lan-2-lan traffic between router1 and router2, you should inlcude

permit ip 192.168.133.0 0.0.0.255 0.0.0.255

You have to change the router2 crypto ACL to minor the ACL najavorbel

The other way to do this is to NAT VPN client's IP to a local lan IP in router1, In this way, you don't need any change on router2. But I have to take a look at your configuration to make suggestion.

View solution in original post

Yudong Wu · ‎05-19-2011

Yes, it's possible.

1. make sure you include the traffic between vpn client and server in Crypto ACL on both router 1 and router2.

2. make sure on router2, it will route the traffic to vpn client back to router 1.

3. If there is any NAT bypass, make sure the traffic between client and server is included as well.

After you check the above items, you can initiate some traffic from client to server such as ping and then use "show crypto ipsec sa" on both routers to check if related encry/decryt count are incrementing. In this way, you can figure out in which direction we might have the issue.

Matej G · ‎05-19-2011

Thanks for replying.

So I should put subnet 192.168.133.0/24 under configuration for vpn client (under VNC_acl access list):

crypto isakmp client configuration group VNC_dostop

key xxxxx

dns xxxxx

domain xxxx.xx

pool VNC_pool2

acl VNC_acl

VNC_pool2 has 192.168.133.0/24 assigned.

crypto map cmjavor 115 ipsec-isakmp

set peer xxxxx

set transform-set ts-3d-md5

match address najavorbel

najavorbel access list has:

ip access-list extended najavorbel

original access list rules

permit ip 192.168.133.0 0.0.0.255 xxxxxxxxx 0.0.0.255

I also must exclude 192.168.133.0/24 subnet from nat right?

What should be done on router2?

I am not sure yet if I will be able to access router2. Is there another way to do this setup if I will not be granted with access to router2?

Local lan of router 1 already has access to local lan of router 2. Is there another way to do this?

Thanks.

Yudong Wu · ‎05-19-2011

It looks like I did not explain it well.

On router1

===================

1. ACL VNC_acl is used for split-tunnel, so you should include server_NET IP there NOT vpn pool IP.

2. ACL najavorbel is used for defining the lan-2-lan traffic between router1 and router2, you should inlcude

permit ip 192.168.133.0 0.0.0.255 0.0.0.255

You have to change the router2 crypto ACL to minor the ACL najavorbel

The other way to do this is to NAT VPN client's IP to a local lan IP in router1, In this way, you don't need any change on router2. But I have to take a look at your configuration to make suggestion.

Matej G · ‎05-20-2011

Hey.

Good news! I was able to connect to router2 today. I placed that subnet (from my vpn client) to the router2 access list for vpn tunnel and I also put my subnet to NO_NAT access list and I have the connection to server now!! Connection trough 2 VPNs neat!

Thank you for your instructions - really helped a lot! Will rate your post 5/5

Yudong Wu · ‎05-20-2011

Great! thanks for your rate.