next hop for a static route - with an IPSEC tunnel

Unanswered Question
Jun 18th, 2007


I have a general question about static routes through an IPSEC tunnel... we tried a next hop for the static route being the other end of the IPsec tunnel... it didn't get entered into the ip routing table. then we made the next hop the interface which the crypto map is applied to.... this kinda worked (at least this time the static route made it into the routing table).

Do you have any guidelines or info regarding the next hop for a static route for which the destination is the IPSEC peer?

Much thanks.

Lisa G

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
dominic.caron Tue, 06/19/2007 - 10:13


If you are using IPSec tunnels(no gre)...routes are not mandatory...

Let's say that you've got a router at site 1 and a router at site 2. Those site are linked by the internet(ISP). The default route on those 2 router point to the ISP. In that case, you dont need to have a static route to the other network. You'll use static to force trafic to go tru a interface where your crypto-map is applied if it's not already the default behavior.

The Crypto ACL will decide what goes accross the VPN tunnel and the ACL must match(reverse) on each side of the tunnel. Also, make sure you dont NAT the trafic between the two site if you realy dont need to.


This Discussion