I have a 2 tunnel DMVPN setup where each remote site connects to 2 different hub sites. OSPF bandwidth values control the routing between the locations and all sites are up and running just fine. The only static routes on the remote site routers are host static routes pointing to the VPN head-ends at each hub site. Other than that all routes are learned and a default route is injected from one of the hub sites. Again, this is all working fine.
Now I need to take it to the next step where if another "dynamic" VPN session is needed that VPN traffic is sent out the local Internet pipe and not the default route, which takes the traffic towards one of the hubs. Since the other remote site VPN points aren't known when this dynamic session is started I can't add more host static routes. I need to use policy routing.
I've created the access-list and route-map but I am unsure as to which interface to apply the route-map. It seems as though there isn't a good interface since policies are applied as traffic enters the interface from the outside (meaning it doesn't matter if it comes from within the router - at least that is what I believe).
S0/0/0 = T1 to main HQ
F0/0 = LAN interface
F0/1 = DSL Internet connection
TUN100 = DMVPN #1 to main DC (source = F0/1)
TUN200 = DMVPN #2 to second DC (source = F0/1)
The default route that is learned through OSPF points out S0/0/0. The two static routes for the to hub locations (DC #1 & DC #2) point out F0/1 via an IP next hop (so ARP doesn't fail).
My access-list & route-map are as follows:
ip access-list extended VPN-Traffic
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
route-map VPN-Traffic permit 10
match ip address VPN-Traffic
set ip next-hop 10.1.1.1
10.1.1.1 is the IP address of the DSL gateway device.
Anyone have any suggestions on how to get my VPN traffic to always leave the F0/1 interface?
When using point-to-point GRE and IPsec hub-and-spoke VPN networks, the physical interface IP address of the spoke routers must be known to configure the hub router, because IP address should be configured as the GRE tunnel destination address. This feature allows spoke routers to have dynamic physical interface IP addresses (common for cable and DSL connections). When the spoke router comes online it sends registration packets to the hub router
While this document is useful for setting up a DMVPN scenario I already have that configured and working. Also this document is from the perspective that my default route for the spoke locations is out it's local Internet connection. For me that is not the case, I have effectively 3 WAN connections: a single T1 and two DMVPN tunnels over an Internet connection. The default route is learned via OSPF and typically points to the WAN T1 connection to go out the main DC Internet connection via the content filters. So, in my network I need to have the ability to have a default route be learned via OSPF so I point to the proper Internet demarc within the network depending upon the available Internet connections. Therein lies my problem, I need to route all unknown destinations and traffic through the learned default route. I also need to pass all VPN tunnel traffic out the local Internet connection. For the two hub data centers this is not a problem as I can host route to their external VPN head ends with a static route. BUT for the branch/spoke locations that are unknown and being learned via NHRP I need to use PRB to forward the VPN traffic our the local Internet connection instead of through the learned default route.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...