I have a 2821 router which is the head end for many LAN to LAN VPN tunnels. We do not allow split tunneling. All traffic (including Internet traffic) comes down the VPN and is sent out the G0/1 interface to our servers, or to a content filter and out to the Internet.
The default route on is the content filter. All VPN peers and their private subnets have static routes on the 2821. Everything works great.
G0/0 IP: 220.127.116.11/24
G0/1 IP: 172.25.1.100/24
ip route 0.0.0.0 0.0.0.0 172.25.1.1
! L2L VPN peer public IP
ip route 18.104.22.168 255.255.255.248 22.214.171.124
! L2L VPN subnet
ip route 172.29.254.0 255.255.255.0 126.96.36.199
Now I want to configure a remote access (dynamic) VPN tunnels. The RA VPN works just fine if I have static routes installed for the workstation running the client software.
! RA VPN pool
ip route 172.29.253.0 255.255.255.0 188.8.131.52
! RA VPN peer
ip route 184.108.40.206 255.255.255.255 220.127.116.11
The problem is I can't just add a route every time someone wants RA VPN access. This looks like a job for PBR.
I created a map and applied it to the public interface of the router (G0/0) but it does not work.
ip access-list extended VPN-PBR
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
route-map VPN-PBR-map permit 10
match ip address VPN-PBR
set ip next-hop 18.104.22.168
Am I missing something obvious?