Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Route router originated VPN traffic out of a different interface to the default route

We have a Cisco IOS router with two DSL connections.  One of them is intended for general traffic (ADSL), the other for VPN links (BDSL) and various other traffic.

The default route is the ADSL link, and we have a combination of static routes for the VPN traffic, and policy routes for other traffic types that should go out the BDSL link.

For site to site traffic, this is fine, we just static route the public IPs and remote networks out of the BDSL line.

The policy based routing also works fine for any outgoing internal traffic that matches an ACL.

The problem is now that there are remote VPN sites originating from dynamic addresses, so we cannot use static routes.  The replies to incoming ISAKMP requests are following the default route out of the ADSL (despite there being no crypto map on that interface).

I want to route the outgoing VPN traffic out of the BDSL.  I have tried adding udp/500 and esp to and from any to the route-map acl that pushes traffic out of the BDSL line, but it doesn't match, presumably because the route-map happen earlier than the IPSec stuff.

Any ideas how I can do this?



IOS ver: 12.4.13T.

Everyone's tags (2)
Cisco Employee

Route router originated VPN traffic out of a different interface


You're running a bit older IOS, but this should still apply:

It explains how PBR and local policy apply to IKE/IPsec.


Community Member

Route router originated VPN traffic out of a different interface

Aah, thanks local policy was the bit I was missing.

I have it set up, but it doesn't quite work:

ip local policy route-map local-policy

route-map local-policy, permit, sequence 10
  Match clauses:
    ip address (access-lists): local-policy
  Set clauses:
    ip next-hop
  Policy routing matches: 128 packets, 0 bytes

#sh access-list local-policy
Extended IP access list local-policy

    20 permit esp any any

    30 permit ip any host log (3 matches)

    40 permit udp any eq isakmp any eq isakmp log (172 matches)

    50 permit udp any any eq non500-isakmp

With the above setup, the VPN to will establish.  IPSec looks good, packets encap and decap.  But packets from the head-end to the remote site do not get there.

If I add

    ip route

Then the packets are returned.  I have turned off cef just in case.  The address is dynamic, just in the access-list for testing, and will be removed once I get this working.  But what can override the local policy route?  It is like the isakmp packets are respecting the policy route, but ESP is not.


CreatePlease to create content