[c-nsp] Remote Access to MPLS based VPN

[BoXeR]

Hi,

Well, I am not using the split tunneling functionality at all.

What I have noticed is that the behaviour depends on the point of 
terminating the IPSec tunnel.

My CiscoVPNClient always establishes the connectivity to IPSec Aggregator to 
the interface that is located in global routing table, and if:

A) the crypto isakmp profile is configured within VRF, I can not access any 
interface within the same VRF on aggregator router.
But I can access any interface on the other routers where that VRF spreads.

B) the crypto isakmp profile is configured within global routing table, and 
then there is no problem to access any interface witnin global routing table 
on the agregator router.

It looks like, there is a problem with such connectivity scenario, OR is it 
a way it works ?
Actualy this is my question.


In case A) I have debug the trace and ping between the PC with CiscoVPN 
Client and aggregator.
I am sure (based on debub crypto engine packet detail) that echo request is 
arriving to agregator but it is not able to send it back to PC through 
created IPSec tunnel.

And if I ping PC from the aggregator (within that VRF) I see, that the echo 
request is send to PC, and PC is sending back the echo replu with 
notification "port unrechable".

In case B), where there is no VRFs, I can ping both PC from Aggregator and 
vice versa.

Any ideas, what can be the reason of that ???

Thanks in advance
Sebastian


----- Original Message ----- 
From: "Steven" <stevenh at xsmail.com>
To: "BoXeR" <piestaga at aster.pl>
Sent: Tuesday, February 15, 2005 6:56 AM
Subject: Re: [c-nsp] Remote Access to MPLS based VPN


> Hi Sebastian,
>
> I have a setup very mich like yours, except I don't configure a lookback 
> on the aggregator router. So I can't confirm the behaviour you see. Only 
> thing I can think of is, when you configure split-tunneling and you don't 
> include the loopback IP address in the acl used for split-tunneling.
>
> Cheers,
>
> - Steven
>
> BoXeR wrote:
>
>> Thanks Steven,
>>
>> that was exactly I needed. I could not find such problem at CCO.
>> Even if I entered "group-lock=1" as a string to search, CCO returnet me 
>> only 3 docs.
>>
>> But OK, I have verified that and everything looks great.
>>
>> May I have one more question to you?
>>
>> In my test scenario (shortly described in my previous mail) I am 
>> terminating IPSec sessions within 2 different VRFs.
>> On the same aggregator router I have created 2 loopbacks (each one in 
>> separate VRFs).
>>
>> For some reason, I can not ping any address within the same VRF until it 
>> is on the aggregaror router (IPSec endpoint router).
>> If I expand the VRF to another router, I can access any interface that is 
>> within that VRF
>>
>> It looks like it is for security reason (just like the security gateway 
>> is only for terminating the IPSec tunnels) but would like to know that 
>> for sure.
>>
>> Could you please help me in this matter ?
>>
>> Regards
>> Sebastian
>>
>>
>> ----- Original Message ----- From: "Steven" <stevenh at xsmail.com>
>> To: "BoXeR" <piestaga at aster.pl>
>> Sent: Monday, February 14, 2005 9:38 PM
>> Subject: [c-nsp] Remote Access to MPLS based VPN
>>
>>
>>> cisco-avpair = "ipsec:group-lock=1"
>>>
>>> will do the trick. Don't have a URL handy by Google or CCO should have 
>>> something.
>>>
>>> - Steven
>>
>>