cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
810
Views
1
Helpful
2
Replies

LANtoLAN IPSec + PBR + DVTI

Hello,

I need to clarify some things about routing with DVTI on the Cisco 1801. I have a VirtualTemplate interface associated with a Dialer interface:

interface Virtual-Template1 type tunnel

ip unnumbered Dialer0

tunnel source Dialer0

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI_Profile

crypto isakmp profile VTI_Profile

keyring TEST

match identity address 1.2.3.4 255.255.255.255

client configuration address respond

keepalive 3600 retry 60

virtual-template 1

local-address Dialer0

Gateway of last resort is not set. I have PBR for incoming IPSec connections:

ip local policy route-map LOCAL

route-map LOCAL permit 10

match ip address 150

set interface Dialer0

route-map LOCAL permit 20

match ip address 152

set global

access-list 150 permit ip host 5.6.7.8 any

access-list 152 permit ip any any

After IPSec tunnel is established the new interface VirtualAccess1 is appeared and route to remote LAN added to global route table:

S 192.168.40.0/24 [1/0] via 1.2.3.4, Virtual-Access1

The ping from local LAN to remote LAN is not working until I add the default gateway. Is there route lookup action after packets pass through VirtualAccess interface?

2 Replies 2

smalkeric
Level 6
Level 6

VTIs allow you to establish an encryption tunnel using a real interface as the tunnel endpoint.

Refer to the below URL for more info:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_virt_tunnl_ps9587_TSD_Products_Configuration_Guide_Chapter.html#wp1110852

Hi,

Could you look at Figure 3 at URL specified by you? If I configure different PBRs for inside interface,outside interface and VTI in what sequence they will be looked up?

regards,

Aleksei

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: