Solved: IOS to IOS vpn + policy based routing

acomiskey · ‎11-06-2008

I am looking at the following scenario.

2811

7204

2811 has point to point T1 connection to 7204. Right now all traffic between the 2 networks use this serial link. Both routers also have an ethernet WAN link. I am trying to create a vpn between the 2 routers using the WAN interfaces, but only want specific traffic to flow over the vpn. All other traffic will still use the serial connection.

I tried this last night using policy based routing at the 2811 end. The 2811 default gateway is the 7204 serial interace. I then directed any traffic destined for 172.24.157.225 and 172.24.157.226 out int fa0/1. This would not work, the only way I got traffic to flow over the vpn is if I changed the default gateway to the upstream neighbor on fa0/1. Is what I am trying to do possible?

2811

interface FastEthernet0/0

description Inside Network

ip address 172.24.154.1 255.255.254.0

ip policy route-map vpn_map

duplex auto

speed auto

interface Serial0/1/0

ip address 192.168.10.30 255.255.255.252

interface FastEthernet0/1

description $ES_LAN$

ip address 98.x.x.2 255.255.255.0

duplex auto

speed auto

crypto map mymap

ip route 0.0.0.0 0.0.0.0 192.168.10.29

ip local policy route-map vpn_map

access-list 120 permit ip any host 172.24.157.225

access-list 120 permit ip any host 172.l24.157.226

route-map vpn_map permit 20

match ip address 120

set ip next-hop 98.x.x.1

Jon Marshall · ‎11-06-2008

Adam

There is no route to the peer address 66.x.x.1xx so the router does not know how to get there. That would also explain why when you tried to add a static route with that as the next-hop the router wouldn't add it.

Do you know where the 66.x.x.1xx peer is in relation to the next-hop IP of 98.x.x.1 ?

Jon

View solution in original post

Jon Marshall · ‎11-06-2008

Adam

I am a little confused about this. The crypto map access-lists define what traffic is to be sent down the VPN tunnel so you shouldn't need PBR at all as far as i can see.

What am i missing ?

Jon

acomiskey · ‎11-06-2008

Jon, I'm confused too! Wish I knew more about routers. Anywho, I updated my first post with a little config. All the traffic currently flows over the serial connection. If I want specific traffic to flow over int fa0/1 instead, do I only need the crypto map acl? I don't need to do pbr?

Jon Marshall · ‎11-06-2008

That's my understanding. You've got me second-guessing myself now. I know for sure you don't need a route for VPN's on pix/asa or more specifically you don't need a route to the remote subnet(s) but you do to the remote peer.

As you have a P2P link your 2800 will know how to get to the peer address. Unfortunately i don't have any routers to test with but from memory i think it works the same way.

Edit - if you test and find this doesn't work this link may help - it's the order of operations on a router although i suspect you may have seen it already -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Jon

acomiskey · ‎11-06-2008

I'll try this out later today and let you know how it goes.

acomiskey · ‎11-06-2008

2811

crypto map mymap 1 ipsec-isakmp

description Tunnel to Main Site

set peer 66.x.x.1xx

set transform-set ESP-3DES-MD5

set pfs group2

match address 120

access-list 120 permit ip host 172.24.154.1 host 172.24.157.225

access-list 120 permit ip host 172.24.154.1 host 172.24.157.226

2811#show ip route | inc 157

D 172.24.157.0/24 [90/2172416] via 192.168.10.29, 12:27:45, Serial0/1/0

???

Jon Marshall · ‎11-06-2008

Is the 172.24.157.0 network meant to be reachable via the s0/1/0 link and you only want some of the traffic to go via the ethernet link ?

Jon

acomiskey · ‎11-06-2008

Yes.

Jon Marshall · ‎11-06-2008

Your original config had

set ip next-hop 98.x.x.1

but according to this config

set peer 66.x.x.1xx

Is this just a typo ?

Jon

acomiskey · ‎11-06-2008

98.x.x.1 is the next hop of interface fa0/1.

66.x.x.1xx is peer address on 7200.

Should I have the next hop be the peer address?

Even if I add a static route it doesn't show up?

ip route 172.24.157.226 255.255.255.255 66.x.x.1xx

Phil_Rtr#show ip route | inc 157

D 172.24.157.0/24 [90/2172416] via 192.168.10.29, 12:44:29, Serial0/1/0

Jon Marshall · ‎11-06-2008

"Should I have the next hop be the peer address?"

No, it's right as it is. I think the issue is as you have highlighted ie. you have a route for the the subnet pointing out a different interface (never done this before) and routing happens before crypto checks. So you could

1) Just add static routes for these 2 hosts on your 2800 so that they get routed to the right interface

OR

2) we can try and work out why PBR isn't working. PBR happens before routing (obviously !!). Let me have a reread of the entire post and see if there are any glaring things i've missed. By the way when you set up the PBR did you see any hits on your access-list ?

Jon

acomiskey · ‎11-06-2008

Thanks Jon. I added a little to my last post. I'll check the pbr acl for hits.

Jon Marshall · ‎11-06-2008

Adam

The route would have to be the next-hop out of fa0/1

ip route 172.24.157.226 255.255.255.255 98.x.x.1

By the way, do you have a route to 66.x.x.1xx in your routing table ?

Jon

Jon Marshall · ‎11-06-2008

Adam

Any reason you have the crypto map applied to fa0/0

shouldn't it be applied to fa0/1 ?

Jon

acomiskey · ‎11-06-2008

I don't know, but the vpn comes up.