Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dual wan router with ssl/ipsec vpn

Hello All,

I have a question about how to set up a 1941 router with two WAN links to two different ISPs. I want all the surfing in-to-out traffic and the default route going to ISP1 and the SSL and L2L IPSEC traffic going to ISP2. The link to ISP2 would also be the failover link to the internet for the inside hosts in case the link to ISP1 went down. I have read that this can be accomplished with route maps, but I have not found any examples that meet my needs. I can post the config of the 1941 if needed.

Thanks.

6 REPLIES
Hall of Fame Super Silver

Re: dual wan router with ssl/ipsec vpn

In general terms the solution that you are looking for is Policy Based Routing. With PBR you can use route maps to change the routing logic for certain types of traffic.

I would suggest that you approach your configuration in this order:

- set up the primary/preferred routing for Internet traffic (probably a static default route or whatever suits your requirements).

- set up failover to the other ISP connection. Depending on the type of interfaces this could be as simple as a floating static default route, or it could be more complex and need to configure some type of Object Tracking or IP SLA to recognize failure of the primary link and failover to ISP2.

- then set up PBRs for IPSec and SSL VPN traffic. The route map needs to identify the traffic for which it will use different routing logic. Matching the IPSec traffic is fairly easy since you basically need to match ISAKMP (UDP 500) and ESP (protocol 50) traffic. Matching SSL VPN may be a bit more tricky. The easy thing would be to match the SSL traffic by port number (which is TCP 443). But since browsing HTTPS is also TCP 443 you may get some overlap in your route map. You might need to use matching on the machine on your network to which people will do SSL VPN. Or you may need to come up with some other matching criteria.

HTH

Rick

New Member

Re: dual wan router with ssl/ipsec vpn

Thanks for the info! I have done some initial config based on this document:

https://supportforums.cisco.com/docs/DOC-12284

I'm testing the SSL first. I'm not sure whether to use a local ip policy statement or applied to the VPN WAN interface.

Hall of Fame Super Silver

Re: dual wan router with ssl/ipsec vpn

You would use the local policy if the router itself were the SSL VPN gateway. You would apply the ip policy with route map to the interface where the SSL traffic arrives if the gateway is some other device in the network.

HTH

Rick

New Member

Re: dual wan router with ssl/ipsec vpn

The router itself is the SSL gateway so I will make that change. Thanks!

New Member

Re: dual wan router with ssl/ipsec vpn

So far it's not working. Any troubleshooting tips? I can post the config here.

New Member

Re: dual wan router with ssl/ipsec vpn

Here is the config:

I think ACL 105 allows too much. I should probably change it to 10.1.9.0 0.0.0.255.

Current configuration : 19593 bytes

!

! Last configuration change at 15:12:52 EST Mon Nov 1 2010 by user

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login external-vpn-users local group radius

aaa authentication login webvpn local

aaa authorization exec default local

aaa authorization network external-vpn-groups local

aaa authorization network external-vpn-users group radius local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone EST -5

!

no ipv6 cef

!

flow record nbar

description NBAR flow monitor

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

match application name

collect datalink mac source address input

collect datalink mac destination address input

collect routing destination as

collect routing next-hop address ipv4

collect ipv4 dscp

collect ipv4 id

collect ipv4 source prefix

collect ipv4 source mask

collect ipv4 destination mask

collect transport tcp source-port

collect transport tcp destination-port

collect transport tcp flags

collect transport udp source-port

collect transport udp destination-port

collect interface output

collect flow direction

collect flow sampler

collect counter bytes

collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

!

!

flow exporter export

description flexible NF v9

destination 1.1.1.1

source GigabitEthernet0/0

transport udp 2055

template data timeout 60

option interface-table

option exporter-stats

option application-table

!

!

flow monitor mon

description app traffic analysis

record nbar

exporter export-to-tim

cache timeout active 60

!

ip source-route

ip cef

!

!

!

!

ip domain name domain.com

ip name-server 68.87.64.150

ip inspect audit-trail

ip inspect alert-off

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name SSl_VPN https

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-1234

enrollment selfsigned

ip-address 2.2.2.2

subject-name cn=IOS-Self-Signed-Certificate-1234

revocation-check none

rsakeypair TP-self-signed-3735527223

!

!

crypto pki certificate chain TP-self-signed-1234

certificate self-signed 01

  cert

        quit

license udi pid CISCO1941/K9 sn 1111

!

!

username user

!

redundancy

!

!

!

class-map type inspect match-any CMAP-1

match protocol tcp

match protocol icmp

match protocol udp

class-map type inspect match-all pptp-passthru

match access-group name PPTP-PASS-THROUGH

class-map type inspect match-all CMAP-HTTPS

match protocol https

class-map type inspect match-all CMAP-IPSEC

!

!

policy-map type inspect PMAP-1

class type inspect CMAP-1

  inspect

class type inspect pptp-passthru

  pass

class class-default

  drop

policy-map type inspect PMAP-2

class type inspect pptp-passthru

  pass

class type inspect CMAP-HTTPS

  pass

class class-default

  drop

!

zone security inside

zone security outside

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect PMAP-1

zone-pair security outside-to-inside source outside destination inside

service-policy type inspect PMAP-2

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key key address 4.4.4.4 no-xauth

!

crypto isakmp client configuration group vpn-group-1

key key

dns 10.1.9.254

wins 10.1.9.254

domain domain.com

pool vpn_users1

acl 151

netmask 255.255.255.0

crypto isakmp profile VPNclient

   match identity group vpn-group-1

!

!

crypto ipsec transform-set sonicwall esp-3des esp-md5-hmac

crypto ipsec transform-set client-tsset esp-3des esp-sha-hmac

!

crypto dynamic-map client-map 1

set transform-set client-tsset

set isakmp-profile VPNclient

reverse-route

!

!

crypto map external-crypto client authentication list external-vpn-users

crypto map external-crypto isakmp authorization list external-vpn-groups

crypto map external-crypto client configuration address respond

crypto map external-crypto 10 ipsec-isakmp

description Tunnel to Sonicwall / 4.4.4.4

set peer 4.4.4.4

set security-association lifetime seconds 86400

set transform-set sonicwall

match address 150

crypto map external-crypto 65535 ipsec-isakmp dynamic client-map!

!

!

!

!

interface Loopback2

description This is needed for WebVPN address pool

ip address 10.3.1.126 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface GigabitEthernet0/0

description Internal LAN

ip address 10.1.9.251 255.255.255.0

ip mask-reply

ip nbar protocol-discovery

ip flow monitor tim-mon input

ip nat inside

ip virtual-reassembly

zone-member security inside

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

interface GigabitEthernet0/1

description Internet via Comcast

ip address 1.1.1.1 255.255.255.248

ip nbar protocol-discovery

ip flow monitor tim-mon input

ip nat outside

ip virtual-reassembly

zone-member security outside

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

interface FastEthernet0/0/0

description Internet via Paetec

ip address 2.2.2.2 255.255.255.240

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

no mop enabled

crypto map external-crypto

!

!

ip local policy route-map SSL-REDIRECT

ip local pool vpn_users1 10.2.1.1 10.2.1.100

ip local pool webvpn_users 10.3.1.1 10.3.1.100

ip forward-protocol nd

!

no ip http server

ip http authentication local

no ip http secure-server

ip flow-cache timeout active 1

!

ip nat inside source list 105 interface GigabitEthernet0/1 overload

ip nat inside source route-map nonat-vpn interface FastEthernet0/0/0 overload

ip route 0.0.0.0 0.0.0.0 1.1.1.1

ip route 0.0.0.0 0.0.0.0 2.2.2.1 250

!

ip access-list extended PPTP-PASS-THROUGH

permit gre any any

ip access-list extended SSL

permit tcp host 2.2.2.2 eq 443 any

!

no logging trap

access-list 100 remark NAT policy for this router

access-list 100 remark Deny NAT for packets via VPN

access-list 100 deny   ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 100 remark Deny NAT for packets to VPN clients (ippool)

access-list 100 deny   ip any host 10.2.1.1

access-list 100 deny   ip any host 10.2.1.2

access-list 100 deny   ip any host 10.2.1.3

access-list 100 deny   ip any host 10.2.1.4

access-list 100 deny   ip any host 10.2.1.5

access-list 100 deny   ip any host 10.2.1.6

access-list 100 deny   ip any host 10.2.1.7

access-list 100 deny   ip any host 10.2.1.8

access-list 100 deny   ip any host 10.2.1.9

access-list 100 deny   ip any host 10.2.1.10

access-list 100 deny   ip any host 10.2.1.11

access-list 100 deny   ip any host 10.2.1.12

access-list 100 deny   ip any host 10.2.1.13

access-list 100 deny   ip any host 10.2.1.14

access-list 100 deny   ip any host 10.2.1.15

access-list 100 deny   ip any host 10.2.1.16

access-list 100 deny   ip any host 10.2.1.17

access-list 100 deny   ip any host 10.2.1.18

access-list 100 deny   ip any host 10.2.1.19

access-list 100 deny   ip any host 10.2.1.20

access-list 100 deny   ip any host 10.2.1.21

access-list 100 deny   ip any host 10.2.1.22

access-list 100 deny   ip any host 10.2.1.23

access-list 100 deny   ip any host 10.2.1.24

access-list 100 deny   ip any host 10.2.1.25

access-list 100 deny   ip any host 10.2.1.26

access-list 100 deny   ip any host 10.2.1.27

access-list 100 deny   ip any host 10.2.1.28

access-list 100 deny   ip any host 10.2.1.29

access-list 100 deny   ip any host 10.2.1.30

access-list 100 deny   ip any host 10.2.1.31

access-list 100 deny   ip any host 10.2.1.32

access-list 100 deny   ip any host 10.2.1.33

access-list 100 deny   ip any host 10.2.1.34

access-list 100 deny   ip any host 10.2.1.35

access-list 100 deny   ip any host 10.2.1.36

access-list 100 deny   ip any host 10.2.1.37

access-list 100 deny   ip any host 10.2.1.38

access-list 100 deny   ip any host 10.2.1.39

access-list 100 deny   ip any host 10.2.1.40

access-list 100 deny   ip any host 10.2.1.41

access-list 100 deny   ip any host 10.2.1.42

access-list 100 deny   ip any host 10.2.1.43

access-list 100 deny   ip any host 10.2.1.44

access-list 100 deny   ip any host 10.2.1.45

access-list 100 deny   ip any host 10.2.1.46

access-list 100 deny   ip any host 10.2.1.47

access-list 100 deny   ip any host 10.2.1.48

access-list 100 deny   ip any host 10.2.1.49

access-list 100 deny   ip any host 10.2.1.50

access-list 100 deny   ip any host 10.2.1.51

access-list 100 deny   ip any host 10.2.1.52

access-list 100 deny   ip any host 10.2.1.53

access-list 100 deny   ip any host 10.2.1.54

access-list 100 deny   ip any host 10.2.1.55

access-list 100 deny   ip any host 10.2.1.56

access-list 100 deny   ip any host 10.2.1.57

access-list 100 deny   ip any host 10.2.1.58

access-list 100 deny   ip any host 10.2.1.59

access-list 100 deny   ip any host 10.2.1.60

access-list 100 deny   ip any host 10.2.1.61

access-list 100 deny   ip any host 10.2.1.62

access-list 100 deny   ip any host 10.2.1.63

access-list 100 deny   ip any host 10.2.1.64

access-list 100 deny   ip any host 10.2.1.65

access-list 100 deny   ip any host 10.2.1.66

access-list 100 deny   ip any host 10.2.1.67

access-list 100 deny   ip any host 10.2.1.68

access-list 100 deny   ip any host 10.2.1.69

access-list 100 deny   ip any host 10.2.1.70

access-list 100 deny   ip any host 10.2.1.71

access-list 100 deny   ip any host 10.2.1.72

access-list 100 deny   ip any host 10.2.1.73

access-list 100 deny   ip any host 10.2.1.74

access-list 100 deny   ip any host 10.2.1.75

access-list 100 deny   ip any host 10.2.1.76

access-list 100 deny   ip any host 10.2.1.77

access-list 100 deny   ip any host 10.2.1.78

access-list 100 deny   ip any host 10.2.1.79

access-list 100 deny   ip any host 10.2.1.80

access-list 100 deny   ip any host 10.2.1.81

access-list 100 deny   ip any host 10.2.1.82

access-list 100 deny   ip any host 10.2.1.83

access-list 100 deny   ip any host 10.2.1.84

access-list 100 deny   ip any host 10.2.1.85

access-list 100 deny   ip any host 10.2.1.86

access-list 100 deny   ip any host 10.2.1.87

access-list 100 deny   ip any host 10.2.1.88

access-list 100 deny   ip any host 10.2.1.89

access-list 100 deny   ip any host 10.2.1.90

access-list 100 deny   ip any host 10.2.1.91

access-list 100 deny   ip any host 10.2.1.92

access-list 100 deny   ip any host 10.2.1.93

access-list 100 deny   ip any host 10.2.1.94

access-list 100 deny   ip any host 10.2.1.95

access-list 100 deny   ip any host 10.2.1.96

access-list 100 deny   ip any host 10.2.1.97

access-list 100 deny   ip any host 10.2.1.98

access-list 100 deny   ip any host 10.2.1.99

access-list 100 deny   ip any host 10.2.1.100

access-list 100 deny   ip any host 10.3.1.1

access-list 100 deny   ip any host 10.3.1.2

access-list 100 deny   ip any host 10.3.1.3

access-list 100 deny   ip any host 10.3.1.4

access-list 100 deny   ip any host 10.3.1.5

access-list 100 deny   ip any host 10.3.1.6

access-list 100 deny   ip any host 10.3.1.7

access-list 100 deny   ip any host 10.3.1.8

access-list 100 deny   ip any host 10.3.1.9

access-list 100 deny   ip any host 10.3.1.10

access-list 100 deny   ip any host 10.3.1.11

access-list 100 deny   ip any host 10.3.1.12

access-list 100 deny   ip any host 10.3.1.13

access-list 100 deny   ip any host 10.3.1.14

access-list 100 deny   ip any host 10.3.1.15

access-list 100 deny   ip any host 10.3.1.16

access-list 100 deny   ip any host 10.3.1.17

access-list 100 deny   ip any host 10.3.1.18

access-list 100 deny   ip any host 10.3.1.19

access-list 100 deny   ip any host 10.3.1.20

access-list 100 deny   ip any host 10.3.1.21

access-list 100 deny   ip any host 10.3.1.22

access-list 100 deny   ip any host 10.3.1.23

access-list 100 deny   ip any host 10.3.1.24

access-list 100 deny   ip any host 10.3.1.25

access-list 100 deny   ip any host 10.3.1.26

access-list 100 deny   ip any host 10.3.1.27

access-list 100 deny   ip any host 10.3.1.28

access-list 100 deny   ip any host 10.3.1.29

access-list 100 deny   ip any host 10.3.1.30

access-list 100 deny   ip any host 10.3.1.31

access-list 100 deny   ip any host 10.3.1.32

access-list 100 deny   ip any host 10.3.1.33

access-list 100 deny   ip any host 10.3.1.34

access-list 100 deny   ip any host 10.3.1.35

access-list 100 deny   ip any host 10.3.1.36

access-list 100 deny   ip any host 10.3.1.37

access-list 100 deny   ip any host 10.3.1.38

access-list 100 deny   ip any host 10.3.1.39

access-list 100 deny   ip any host 10.3.1.40

access-list 100 deny   ip any host 10.3.1.41

access-list 100 deny   ip any host 10.3.1.42

access-list 100 deny   ip any host 10.3.1.43

access-list 100 deny   ip any host 10.3.1.44

access-list 100 deny   ip any host 10.3.1.45

access-list 100 deny   ip any host 10.3.1.46

access-list 100 deny   ip any host 10.3.1.47

access-list 100 deny   ip any host 10.3.1.48

access-list 100 deny   ip any host 10.3.1.49

access-list 100 deny   ip any host 10.3.1.50

access-list 100 deny   ip any host 10.3.1.51

access-list 100 deny   ip any host 10.3.1.52

access-list 100 deny   ip any host 10.3.1.53

access-list 100 deny   ip any host 10.3.1.54

access-list 100 deny   ip any host 10.3.1.55

access-list 100 deny   ip any host 10.3.1.56

access-list 100 deny   ip any host 10.3.1.57

access-list 100 deny   ip any host 10.3.1.58

access-list 100 deny   ip any host 10.3.1.59

access-list 100 deny   ip any host 10.3.1.60

access-list 100 deny   ip any host 10.3.1.61

access-list 100 deny   ip any host 10.3.1.62

access-list 100 deny   ip any host 10.3.1.63

access-list 100 deny   ip any host 10.3.1.64

access-list 100 deny   ip any host 10.3.1.65

access-list 100 deny   ip any host 10.3.1.66

access-list 100 deny   ip any host 10.3.1.67

access-list 100 deny   ip any host 10.3.1.68

access-list 100 deny   ip any host 10.3.1.69

access-list 100 deny   ip any host 10.3.1.70

access-list 100 deny   ip any host 10.3.1.71

access-list 100 deny   ip any host 10.3.1.72

access-list 100 deny   ip any host 10.3.1.73

access-list 100 deny   ip any host 10.3.1.74

access-list 100 deny   ip any host 10.3.1.75

access-list 100 deny   ip any host 10.3.1.76

access-list 100 deny   ip any host 10.3.1.77

access-list 100 deny   ip any host 10.3.1.78

access-list 100 deny   ip any host 10.3.1.79

access-list 100 deny   ip any host 10.3.1.80

access-list 100 deny   ip any host 10.3.1.81

access-list 100 deny   ip any host 10.3.1.82

access-list 100 deny   ip any host 10.3.1.83

access-list 100 deny   ip any host 10.3.1.84

access-list 100 deny   ip any host 10.3.1.85

access-list 100 deny   ip any host 10.3.1.86

access-list 100 deny   ip any host 10.3.1.87

access-list 100 deny   ip any host 10.3.1.88

access-list 100 deny   ip any host 10.3.1.89

access-list 100 deny   ip any host 10.3.1.90

access-list 100 deny   ip any host 10.3.1.91

access-list 100 deny   ip any host 10.3.1.92

access-list 100 deny   ip any host 10.3.1.93

access-list 100 deny   ip any host 10.3.1.94

access-list 100 deny   ip any host 10.3.1.95

access-list 100 deny   ip any host 10.3.1.96

access-list 100 deny   ip any host 10.3.1.97

access-list 100 deny   ip any host 10.3.1.98

access-list 100 deny   ip any host 10.3.1.99

access-list 100 deny   ip any host 10.3.1.100

access-list 100 remark NAT everything else

access-list 100 permit ip 10.1.9.0 0.0.0.255 any

access-list 105 remark CCP_ACL Category=2

access-list 105 permit ip 10.0.0.0 0.255.255.255 any

access-list 110 deny   ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 120 permit ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 150 remark Permit traffic between here and remote LAN via IPSEC

access-list 150 permit ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 151 remark ACL for VPN Client Split Tunneling

access-list 151 permit ip 10.1.9.0 0.0.0.255 any

!

no cdp run

!

!

!

route-map nonat-vpn permit 1

match ip address 100

!

route-map SSL-REDIRECT permit 10

match ip address SSL

match interface FastEthernet0/0/0

set ip next-hop 2.2.2.1

!

!

radius-server host 10.1.9.254 auth-port 1645 acct-port 1646 key key

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

line vty 5 15

privilege level 15

transport input ssh

!

scheduler allocate 20000 1000

!

webvpn gateway WebVPNGateway

ip address 2.2.2.2 port 443

ssl encryption 3des-sha1

ssl trustpoint TP-self-signed-1234

inservice

!

webvpn install svc flash0:/webvpn/svc.pkg sequence 1

!

webvpn context Default_context

ssl authenticate verify all

!

nbns-list "Windows_Servers"

   nbns-server 10.1.9.254 master

!

port-forward "WebVPN_Ports"

   local-port 3001 remote-server "10.1.9.254" remote-port 2029 description "MSSQLPROFXENGAGEMENT"

   local-port 3002 remote-server "10.1.9.254" remote-port 6735 description "PFXEngDesktopService"

   local-port 3003 remote-server "10.1.9.254" remote-port 6736 description "PFXSYNPFTService"

   local-port 3004 remote-server "10.1.9.254" remote-port 1434 description "SQL Listening Service"

!

policy group WebVPN_Policy

   port-forward "WebVPN_Ports"

   nbns-list "Windows_Servers"

   functions file-access

   functions file-browse

   functions file-entry

   functions svc-required

   svc address-pool "webvpn_users"

   svc default-domain "domain.com"

   svc keep-client-installed

   svc dpd-interval gateway 30

   svc rekey method new-tunnel

   svc split include 10.1.9.0 255.255.255.0

   svc dns-server primary 10.1.9.254

   svc wins-server primary 10.1.9.254

default-group-policy WebVPN_Policy

aaa authentication list external-vpn-users

inservice

!

end

1077
Views
0
Helpful
6
Replies
CreatePlease to create content