VPN/Split Tunneling problem

[Khurram Malik]

Hi Michael

First of all I am new to this group and your replies attracted me towards this forum, I have couple of issues I am trying to establish a split tunnel between 2 far end sites, Site A has BCM50e with integrated router and Site B has BSR222. Configurations are as follows

Site A:
Local IP Scheme: 192.168.1.0/24
WAN Interface: Public Static IP Address
IP Policy:
             Local: Subnet 0.0.0.0/0.0.0.0
             Remote: Subnet 0.0.0.0/0.0.0.0
ESP
Encryption: 3DES
Authentication: MD5

My IP Address: 0.0.0.0
Secure Gateway: 0.0.0.0

Site B:
Local IP Scheme: 192.168.10.0/24
WAN Interface: Public Dynamic
IP Policy:
             Local: Subnet 192.168.10.0/0.0.0.0
             Remote: Subnet 0.0.0.0/0.0.0.0
ESP
Encryption: 3DES
Authentication: MD5

My IP Address: 0.0.0.0
Secure Gateway: Public Static IP of Site A

1. The tunnel established successfully but i cannot ping either site LAN from LAN.
2. When the tunnel is established I cannot use internet on both sites.
3. When i connect to Site A through Nortel VPN client it works fine but again i cannot use internet.


I will really appreciate your help in this regard. There is no NAT policy I configured on both sides. I also have checked your other posts regarding the 2 issues which are related but for split tunneling I am unable to find the right place to configure and what configuration with the above parameters.

Imp: My scenario and configurations (except fot the IP scheme) are exactly the same as you can in the following link (Page 10)

http://www116.nortel.com/docs/bvdoc/ene_tech_pubs/2007_08_27_BCM50e_BSR222_Secure_Voice__Data_for_Small_Businesses_Teleworking_Solution_Technical_Configuration_Guide_NN48500_508.pdf


Regards

Khurram Malik

[Khurram Malik]

Please see the Page 10 for Topology

[Michael McNamara]

Hi Khurram,

It looks like you're missing some very important information. Your routing is wrong, but I'm going to guess you know that. I'm also going to assume that you removed the public IP addressing of your BCM 50e and BSR 222 (highly recommended).

SITE A = 192.168.1.0/24 (BCM 50e)
SITE B = 192.168.10.0/24 (BSR 222)

Set the following;
  Remote Network on the BCM 50e as 192.168.10.0/24
  Remote Network on the BSR 222 as 192.168.1.0/24

You can't use the Internet because you are routing all traffic (0.0.0.0/0) across the VPN tunnel to the other site. You need to just put the network(s) that you wish to route across the VPN tunnel in the configuration.

I'm attaching a quick diagram... you only want to add those networks that you wish to route across the VPN tunnel.

Hopefully that makes sense.

PS: I've got to make the font bigger in the CSS, this text is way too small...

[Khurram Malik]

You are right Michael I had a Public Static IP on WAn Interface of BSR222 and I had the same configs which you just purposed but unfortunately that link of mine is down. Right now I am using a backup connection on which I have Dynamic Public IP on WAN interface of BSR222.

So i just followed the configurations proposed by Nortel document to configure ABOT between Branch and Main office. IPSec VPN tunnel did created this way but still I am unable to ping each other LAN. It does make sence that routing is wrong to have internet access.

Let me know if i stated my point clearly that I dont have Static IP on WAN interface of BSR222.

[Michael McNamara]

Hmmm... alright then, no static IP address isn't a big problem although one site (at a minimum) will need a static IP address. The other site can have a dynamic IP address and will "call" the site with a static IP address.

You can still continue and following the technical guide you just need to change the remote networks as I stated above. On page 20 of the document you need to substitute the local and remote networks for the values you have in YOUR network. The local network should be a subnet, 192.168.10.0, 255.255.255.0 and the remote network should be a subnet, 192.168.1.0, 255.255.255.0. VERY IMPORTANT don't forget to apply the selected policy by hitting that down arrow button as documented on page 21.

Now you need to change the local and remote networks on the BCM 50e, just swap the values with the local network as 192.168.1.0, 255.255.255.0 and the remote network as 192.168.10.0, 255.255.255.0.

I've uploaded the Technical Configuration Guide to my website since Nortel was blocking access to your link.

http://www.michaelfmcnamara.com/files/2007_08_27_BCM50e_BSR222_Secure_Voice__Data_for_Small_Businesses_Teleworking_Solution_Technical_Configuration_Guide_NN48500_508.pdf

Good Luck!

[Khurram Malik]

Ahhhhhhhhh Michael I wish life could be that simple  . I did what you said only on BCM50e at the moment just wanted to show you the output. Please take a look on the red rectangles when i made the proposed changes.

Thanks

[Michael McNamara]

You are on the BCM 50e?

So you need to make sure the configuration is set as "Aggressive". The My IP Address should be the static public IP address of your BCM 50e and the Secure Gateway Address can stay 0.0.0.0.

On the BSR222 you need to set the My IP Address as 0.0.0.0 and the Secure Gateway Address to the static public IP address of your BCM 50e.

Let us know how you make out.

Thanks,
Mike

[Khurram Malik]

Yes Michael

I am on BCM50e and I changed the MY IP address to our static IP and Secure gateway to 0.0.0.0 but the moment I click to apply the policy its giving me the same error that "Policy cannot bound to the dynamic rule". This is strange.