11-06-2009 10:33 PM - edited 03-04-2019 06:38 AM
I have a 2821 router which is the head end for many LAN to LAN VPN tunnels. We do not allow split tunneling. All traffic (including Internet traffic) comes down the VPN and is sent out the G0/1 interface to our servers, or to a content filter and out to the Internet.
The default route on is the content filter. All VPN peers and their private subnets have static routes on the 2821. Everything works great.
G0/0 IP: 63.1.1.2/24
G0/1 IP: 172.25.1.100/24
ip route 0.0.0.0 0.0.0.0 172.25.1.1
! L2L VPN peer public IP
ip route 12.1.1.96 255.255.255.248 63.1.1.1
! L2L VPN subnet
ip route 172.29.254.0 255.255.255.0 63.1.1.1
Now I want to configure a remote access (dynamic) VPN tunnels. The RA VPN works just fine if I have static routes installed for the workstation running the client software.
! RA VPN pool
ip route 172.29.253.0 255.255.255.0 63.1.1.1
! RA VPN peer
ip route 75.75.75.5 255.255.255.255 63.1.1.1
The problem is I can't just add a route every time someone wants RA VPN access. This looks like a job for PBR.
I created a map and applied it to the public interface of the router (G0/0) but it does not work.
ip access-list extended VPN-PBR
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
route-map VPN-PBR-map permit 10
match ip address VPN-PBR
set ip next-hop 63.84.192.1
Am I missing something obvious?
11-07-2009 02:13 AM
Hello Cristhopher,
>> I created a map and applied it to the public interface of the router (G0/0) but it does not work.
PBR works on inbound flows so it should be applied on the interface that receives the flows that you want to divert.
So I think it should be applied on the other GE gi0/1
Hope to help
Giuseppe
11-07-2009 11:34 AM
Hello Giuseppe--
Thank you for the reply. I tried the route-map on GE0/1 as well and there are no hits on the map.
I am wondering if PBR will not work due to the the IOS order of operations. The router knows to route the IP pool subnet out the G0/0 interface, but not the peer's public IP address. The data must be encrypted/encapsulated before the peer's public IP is put in the IP header, so if IOS handles PBR before encryption this will never work.
According to the "NAT Order of Operations" document that I have seen, policy routing does take place before routing. Can anyone confirm this?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: