Routing remote access VPN traffic

Unanswered Question
Nov 6th, 2009
User Badges:

I have a 2821 router which is the head end for many LAN to LAN VPN tunnels. We do not allow split tunneling. All traffic (including Internet traffic) comes down the VPN and is sent out the G0/1 interface to our servers, or to a content filter and out to the Internet.

The default route on is the content filter. All VPN peers and their private subnets have static routes on the 2821. Everything works great.

G0/0 IP:

G0/1 IP:

ip route

! L2L VPN peer public IP

ip route

! L2L VPN subnet

ip route

Now I want to configure a remote access (dynamic) VPN tunnels. The RA VPN works just fine if I have static routes installed for the workstation running the client software.

! RA VPN pool

ip route

! RA VPN peer

ip route

The problem is I can't just add a route every time someone wants RA VPN access. This looks like a job for PBR.

I created a map and applied it to the public interface of the router (G0/0) but it does not work.

ip access-list extended VPN-PBR

permit esp any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

route-map VPN-PBR-map permit 10

match ip address VPN-PBR

set ip next-hop

Am I missing something obvious?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Sat, 11/07/2009 - 02:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Cristhopher,

>> I created a map and applied it to the public interface of the router (G0/0) but it does not work.

PBR works on inbound flows so it should be applied on the interface that receives the flows that you want to divert.

So I think it should be applied on the other GE gi0/1

Hope to help


cjw Sat, 11/07/2009 - 11:34
User Badges:

Hello Giuseppe--

Thank you for the reply. I tried the route-map on GE0/1 as well and there are no hits on the map.

I am wondering if PBR will not work due to the the IOS order of operations. The router knows to route the IP pool subnet out the G0/0 interface, but not the peer's public IP address. The data must be encrypted/encapsulated before the peer's public IP is put in the IP header, so if IOS handles PBR before encryption this will never work.

According to the "NAT Order of Operations" document that I have seen, policy routing does take place before routing. Can anyone confirm this?


This Discussion