Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Force VPN traffic thru core of network


We have a Hub and spoke design of ipsec with GRE between 1811 spokes and 7206vxr Head Ends. We have a "single tunnel" meaning no split tunneling is configured so users behind the spoke routers get to the internet all the way thru the core of the network. We accomplish this with gre inside of ipsec using IP's from a /30 on both ends of the gre tunnel and loopback IP's assigned as tunnel source and tunnel destination on each end of the gre tunnel. We assign a route-map under the tunnel interface on the head end side that forces the traffic back thru the core of the network and out of a firewall that is nating all traffic to the internet. Here is an example.

HE side

interface Tunnel10111
 description Tunnel 1 to Corp Branch
 ip address
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip policy route-map UNENCRYPTED
 keepalive 10 5
 tunnel source 
 tunnel destination

Spoke side

interface Tunnel1
 description Tunnel 1 to Corp Data Center1 - HE1
 ip address
 ip mtu 1400
 ip virtual-reassembly in
 ip tcp adjust-mss 1360
 keepalive 10 5
 tunnel source
 tunnel destination


Now we have another device that won't correctly allow us to define gre interface with loopback source and destination so we decided to drop the gre and go straight IPsec. Ipsec all works correctly. Problem is now the traffic arrives at the head end and is sent back out of the head ends default route to the internet instead of being forced thru the core to the firewall which should be the only egress interface to the internet.

How do I force the traffic coming from this spoke back thru the core now? I want to use a route-map but what would that look like?



New Member

I have applied this to see if

I have applied this to see if I can force the vpn traffic from the spoke to to the appropriate next hop but I get zero matches on my acl. the Gig0/2 interface does not see this traffic. How can I see it?

ip access-list ext To_Internet
 permit ip any
 permit icmp any

route-map 101traffic permit 10
match ip address To_Internet
set ip next-hop

interface GigabitEthernet0/2
description connected to Corporate Backbone
ip address
ip wccp 12 redirect out
ip policy route-map 101traffic
ip ospf authentication message-digest
ip ospf authentication-key xxxxxxx
ip ospf priority 100
duplex full
speed 1000
media-type rj45
no negotiation auto
no cdp enable