Route router originated VPN traffic out of a different interface to the default route
We have a Cisco IOS router with two DSL connections. One of them is intended for general traffic (ADSL), the other for VPN links (BDSL) and various other traffic.
The default route is the ADSL link, and we have a combination of static routes for the VPN traffic, and policy routes for other traffic types that should go out the BDSL link.
For site to site traffic, this is fine, we just static route the public IPs and remote networks out of the BDSL line.
The policy based routing also works fine for any outgoing internal traffic that matches an ACL.
The problem is now that there are remote VPN sites originating from dynamic addresses, so we cannot use static routes. The replies to incoming ISAKMP requests are following the default route out of the ADSL (despite there being no crypto map on that interface).
I want to route the outgoing VPN traffic out of the BDSL. I have tried adding udp/500 and esp to and from any to the route-map acl that pushes traffic out of the BDSL line, but it doesn't match, presumably because the route-map happen earlier than the IPSec stuff.
Route router originated VPN traffic out of a different interface
Aah, thanks local policy was the bit I was missing.
I have it set up, but it doesn't quite work:
ip local policy route-map local-policy
route-map local-policy, permit, sequence 10
ip address (access-lists): local-policy
ip next-hop 220.127.116.11
Policy routing matches: 128 packets, 0 bytes
#sh access-list local-policy
Extended IP access list local-policy
20 permit esp any any
30 permit ip any host 18.104.22.168 log (3 matches)
40 permit udp any eq isakmp any eq isakmp log (172 matches)
50 permit udp any any eq non500-isakmp
With the above setup, the VPN to 22.214.171.124 will establish. IPSec looks good, packets encap and decap. But packets from the head-end to the remote site do not get there.
If I add
ip route 126.96.36.199 255.255.255.255 188.8.131.52
Then the packets are returned. I have turned off cef just in case. The 184.108.40.206 address is dynamic, just in the access-list for testing, and will be removed once I get this working. But what can override the local policy route? It is like the isakmp packets are respecting the policy route, but ESP is not.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...