How to route vpn traffic through the tunnel

trondkristiansen · ‎07-06-2013

Hello

I have i Cisco 1841 router, also used as dhcp server

In my inside network I have an Endian firewall just to terminate an ipsec site to site tunnel to remote location.

Local network: 172.17.80.0

1841 inside/default gateway 172.17.80.1

Endian 172.17.80.2

Remote network: 192.168.16.0

I want traffic to remote network to go through Endian withou having to add static routes on each client as I have to now

Is this something the dhcp server handles, giving routes to the client.

Or should the router take care of this

This is problaby basic network knowledge I should now:)

I have a static route on the 1841 but that doesnt seems to do anything.

Regards

kritro

Eduardo Aliaga · ‎07-08-2013

IPSEC VPNs can be route-based or policy-based .

If you're using route-based you must use some kind of routing, either static or dynamic routes, to decide what traffic goes to the tunnel.

If you're using policy-based then your router ACLs will decide what traffic goes to the ipsec tunnel

Could you please share your configuration ?

trondkristiansen · ‎07-11-2013

I managed to solve it.

At first it didnt work so I had the dhcp server send the routes to the clients, and that worked. But thats not ideal since I have clients/servers with static ip adress.

What I did whas to add option 121 and 249 to the dhcp server

ip dhcp pool 172.17.80.0/24

network 172.17.80.0 255.255.255.0

default-router 172.17.80.1

dns-server 172.17.80.30

option 121 ip 24.192.168.126 172.17.80.2 24.172.17.60 172.17.80.2

option 249 ip 24.192.168.126 172.17.80.2 24.172.17.60 172.17.80.2

But later I realized that I had an error in my routes, but after I added

ip route 172.17.60.0 255.255.255.0 172.17.80.2 3

ip route 192.168.126.0 255.255.255.0 172.17.80.2 2

to my config it worked for all, also static ip machines.

172.17.80.2 is the Endian firewall that terminates the ipsec tunnels, and 172.17.60 and 192.168.126 are subnets at two remote branches.