[c-nsp] VPN Client to 1841, default route into tunnel with exceptions

Brett Looney brett at looney.id.au
Wed Aug 27 20:50:32 EDT 2008


> It now says
> 
> crypto isakmp client configuration group InternClient
>  key onsh4OcyivOafmyodzet
>  dns 10.1.2.11 10.1.2.15
>  wins 10.1.2.11 10.1.2.15
>  domain example.com
>  pool ippool
>  acl DefaultrouteTunnel
>  include-local-lan
> 
> and when I ping 192.168.8.1, I still see the packet going out
> encapsulated in ESP instead of unencrypted on the LAN (the Client's
> LAN ip is 192.168.8.184/24).

Hmmm. Interesting. What does your "DefaultrouteTunnel" ACL look like? Wait -
just dug up your old email:

> ip access-list extended DefaultrouteTunnel
>  permit ip any any

So this is the issue (sorry - should have looked at this earlier) - you need
to put a list of networks here that the client can access. And just to be
confusing, the ACL is from the router's perspective as if the traffic is
outbound. So, if the pool of IP addresses that you're handing out to the
clients is 10.100.100.0/24 then that needs to be the destination address in
the ACL ala:

ip access-list extended DefaultrouteTunnel
 permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255
 permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255

HTH.

B.


More information about the cisco-nsp mailing list