LANtoLAN IPSec + PBR + DVTI

aleksei.timofeyev · ‎08-17-2009

Hello,

I need to clarify some things about routing with DVTI on the Cisco 1801. I have a VirtualTemplate interface associated with a Dialer interface:

interface Virtual-Template1 type tunnel

ip unnumbered Dialer0

tunnel source Dialer0

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI_Profile

crypto isakmp profile VTI_Profile

keyring TEST

match identity address 1.2.3.4 255.255.255.255

client configuration address respond

keepalive 3600 retry 60

virtual-template 1

local-address Dialer0

Gateway of last resort is not set. I have PBR for incoming IPSec connections:

ip local policy route-map LOCAL

route-map LOCAL permit 10

match ip address 150

set interface Dialer0

route-map LOCAL permit 20

match ip address 152

set global

access-list 150 permit ip host 5.6.7.8 any

access-list 152 permit ip any any

After IPSec tunnel is established the new interface VirtualAccess1 is appeared and route to remote LAN added to global route table:

S 192.168.40.0/24 [1/0] via 1.2.3.4, Virtual-Access1

The ping from local LAN to remote LAN is not working until I add the default gateway. Is there route lookup action after packets pass through VirtualAccess interface?

smalkeric · ‎08-21-2009

VTIs allow you to establish an encryption tunnel using a real interface as the tunnel endpoint.

Refer to the below URL for more info:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_virt_tunnl_ps9587_TSD_Products_Configuration_Guide_Chapter.html#wp1110852

aleksei.timofeyev · ‎08-25-2009

Hi,

Could you look at Figure 3 at URL specified by you? If I configure different PBRs for inside interface,outside interface and VTI in what sequence they will be looked up?

regards,

Aleksei