Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
1
Replies

IOS EZVPN Routing

moody
Level 1
Level 1

‎09-15-2014 01:32 PM

If I have a remote ASA connecting to an ISR via EZVPN - the ISR is the EZVPN hub/server. I understand how the tunnel gets setup etc., but I'm not sure how the routing takes place.  Can the ISR inform the local router what routes it is responsible for?  How does the ISR know how to route packets for different ezvpn tunnels?

Labels:
0 Helpful
1 Reply 1

Raja Periyasamy
Level 1
Level 1

‎09-15-2014 05:37 PM

Hi,

The routing of packets across the vpn tunnel will be decided by the split ACL configuration on the server.

If there is no split ACL configured then the Ipsec SA will be from the assigned client IP to any which means everything from that IP will be sent across the tunnel and the ISR will decide on where to send the traffic.

The differentiation by the server will be based on the IP addresses assigned to each of the clients.

For example, if the IP assigned to the client is 172.16.12.3 then the Ipsec SA will look like this.

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.12.3/255.255.255.255/0/0)

 Thus the EZvpn server will know how to reach each of these clients individually.

Rate the post if it helps

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents