[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


LAN to LAN VPN - remoting into to the matrix from home

Posted on 2016-09-08
Medium Priority
Last Modified: 2016-09-12
Hi All,

We have setup a triangle of LAN to LAN VPN's using IPsec. In the offices it all works fine, databases can be retrieved etc. However it appears not functional when you remote in from out of these sites into the matrix.

I have a user or two that like to work from home sometimes and need to access documents and databases from all 3 of these sites. When they client server VPN into one of the sites, they don't have network and file access to the others. One of the sites is set on a 192.168.1.xxx which is usually what most home networks are set on. However the other site should have no problem.

The site they VPN into we'll call site 1. Site 2 for the site that should have no problem and site 3 for the 192.168.1.xxx.

Home user connects to site 1 from home and can access site 1 resources. However cannot access site 2 or 3 (like I said I think I know the reasoning behind site 3). In the office it is all fine. The remote dial in user is set on the router. I assume that the user is smart enough to enter his windows credentials without getting scared of a username and password box, however this might just be the case.

Any other ideas would be appreciated.
Question by:unrealone1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Expert Comment

by:Muhammad Mulla
ID: 41789271
Initially, I would say try it yourself. Maybe from a cafe wifi network closeby?
LVL 16

Expert Comment

by:Michael Ortega
ID: 41789348
For your remote users you need to configure a hub & spoke design. What your mobile VPN users probably have access to from a NAT/ACL perspective is just the site that they are generating the tunnel to. That same site needs to have rules on it that allow the mobile VPN users to connect to the other sites. The other sites also need to know of the existence of the mobile VPN users' network (if it's a separate network from the main site they are connecting directly to). Of course, as you said, if the mobile VPN users' network overlaps one of the sites, they will not be able to access that site.

LVL 22

Expert Comment

ID: 41789882
Since the first time I ran into the problem with conflicting subnets (192.168.1.x at two locations in this case) I've set up all new networks with something other than the usual subnets (avoid 192.168.1.x, 192.168.0.x, 10.0.x.x, 10.1.x.x).  You can often set up the VPN client to direct ALL traffic through the VPN when connected which will avoid the problem, but that isn't always possible.

Your VPN life will be much easier if you can change the 192.168.1.x network to something else.  Alternately, change the client's network addressing.  This is likely easier in the short run but won't help you with any other client sites.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 14

Expert Comment

ID: 41790002
Change your split tunnel to full tunnel for remote vpn.

Author Comment

ID: 41791191
hi SIM50,

By full tunnel do you mean the client machine will use the gateway on the remote network?

Thanks for all comments on this
LVL 14

Accepted Solution

SIM50 earned 2000 total points
ID: 41791239
Full tunnel is when all traffic goes through the vpn, not just the one destined for the remote network.

To change from split tunnel to full tunnel:
group-policy <YOUR RA POLICY NAME> attributes
split-tunnel-policy tunnelall

If you would like to change it back, change the keyword "tunnelall" to "tunnelspecified".

Now to provide remote users with internet access, you would have to do NAT, enable hair-pinning and modify outside interface ACL.

NAT (might be different for your version )
object network RA_VPN_POOL
nat (outside,outside) after-auto source dynamic RA_VPN_POOL interface

Hair-pinning (allows traffic to make a U-turn)
same-security-traffic permit intra-interface

object service WEB
service tcp destination eq 80
service tcp destination eq 443
access-list OUTSIDE_IN extended permit object WEB RA_VPN_POOL any

Author Closing Comment

ID: 41794419
I will have to test it out however lots of information thank you very much

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question