Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Green

IOS to IOS vpn + policy based routing

I am looking at the following scenario.

2811

7204

2811 has point to point T1 connection to 7204. Right now all traffic between the 2 networks use this serial link. Both routers also have an ethernet WAN link. I am trying to create a vpn between the 2 routers using the WAN interfaces, but only want specific traffic to flow over the vpn. All other traffic will still use the serial connection.

I tried this last night using policy based routing at the 2811 end. The 2811 default gateway is the 7204 serial interace. I then directed any traffic destined for 172.24.157.225 and 172.24.157.226 out int fa0/1. This would not work, the only way I got traffic to flow over the vpn is if I changed the default gateway to the upstream neighbor on fa0/1. Is what I am trying to do possible?

2811

interface FastEthernet0/0

description Inside Network

ip address 172.24.154.1 255.255.254.0

ip policy route-map vpn_map

duplex auto

speed auto

interface Serial0/1/0

ip address 192.168.10.30 255.255.255.252

interface FastEthernet0/1

description $ES_LAN$

ip address 98.x.x.2 255.255.255.0

duplex auto

speed auto

crypto map mymap

ip route 0.0.0.0 0.0.0.0 192.168.10.29

ip local policy route-map vpn_map

access-list 120 permit ip any host 172.24.157.225

access-list 120 permit ip any host 172.l24.157.226

route-map vpn_map permit 20

match ip address 120

set ip next-hop 98.x.x.1

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

Adam

There is no route to the peer address 66.x.x.1xx so the router does not know how to get there. That would also explain why when you tried to add a static route with that as the next-hop the router wouldn't add it.

Do you know where the 66.x.x.1xx peer is in relation to the next-hop IP of 98.x.x.1 ?

Jon

23 REPLIES
Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

Adam

I am a little confused about this. The crypto map access-lists define what traffic is to be sent down the VPN tunnel so you shouldn't need PBR at all as far as i can see.

What am i missing ?

Jon

Green

Re: IOS to IOS vpn + policy based routing

Jon, I'm confused too! Wish I knew more about routers. Anywho, I updated my first post with a little config. All the traffic currently flows over the serial connection. If I want specific traffic to flow over int fa0/1 instead, do I only need the crypto map acl? I don't need to do pbr?

Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

That's my understanding. You've got me second-guessing myself now. I know for sure you don't need a route for VPN's on pix/asa or more specifically you don't need a route to the remote subnet(s) but you do to the remote peer.

As you have a P2P link your 2800 will know how to get to the peer address. Unfortunately i don't have any routers to test with but from memory i think it works the same way.

Edit - if you test and find this doesn't work this link may help - it's the order of operations on a router although i suspect you may have seen it already -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Jon

Green

Re: IOS to IOS vpn + policy based routing

I'll try this out later today and let you know how it goes.

Green

Re: IOS to IOS vpn + policy based routing

2811

crypto map mymap 1 ipsec-isakmp

description Tunnel to Main Site

set peer 66.x.x.1xx

set transform-set ESP-3DES-MD5

set pfs group2

match address 120

access-list 120 permit ip host 172.24.154.1 host 172.24.157.225

access-list 120 permit ip host 172.24.154.1 host 172.24.157.226

2811#show ip route | inc 157

D 172.24.157.0/24 [90/2172416] via 192.168.10.29, 12:27:45, Serial0/1/0

???

Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

Is the 172.24.157.0 network meant to be reachable via the s0/1/0 link and you only want some of the traffic to go via the ethernet link ?

Jon

Green

Re: IOS to IOS vpn + policy based routing

Yes.

Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

Your original config had

set ip next-hop 98.x.x.1

but according to this config

set peer 66.x.x.1xx

Is this just a typo ?

Jon

Green

Re: IOS to IOS vpn + policy based routing

98.x.x.1 is the next hop of interface fa0/1.

66.x.x.1xx is peer address on 7200.

Should I have the next hop be the peer address?

Even if I add a static route it doesn't show up?

ip route 172.24.157.226 255.255.255.255 66.x.x.1xx

Phil_Rtr#show ip route | inc 157

D 172.24.157.0/24 [90/2172416] via 192.168.10.29, 12:44:29, Serial0/1/0

Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

"Should I have the next hop be the peer address?"

No, it's right as it is. I think the issue is as you have highlighted ie. you have a route for the the subnet pointing out a different interface (never done this before) and routing happens before crypto checks. So you could

1) Just add static routes for these 2 hosts on your 2800 so that they get routed to the right interface

OR

2) we can try and work out why PBR isn't working. PBR happens before routing (obviously !!). Let me have a reread of the entire post and see if there are any glaring things i've missed. By the way when you set up the PBR did you see any hits on your access-list ?

Jon

Green

Re: IOS to IOS vpn + policy based routing

Thanks Jon. I added a little to my last post. I'll check the pbr acl for hits.

Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

Adam

The route would have to be the next-hop out of fa0/1

ip route 172.24.157.226 255.255.255.255 98.x.x.1

By the way, do you have a route to 66.x.x.1xx in your routing table ?

Jon

Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

Adam

Any reason you have the crypto map applied to fa0/0

shouldn't it be applied to fa0/1 ?

Jon

Green

Re: IOS to IOS vpn + policy based routing

I don't know, but the vpn comes up.

Green

Re: IOS to IOS vpn + policy based routing

OK, here goes.

ip route 172.24.157.226 255.255.255.255 98.x.x.1

Phil_Rtr#show ip route | inc 157

D 172.24.157.0/24 [90/2172416] via 192.168.10.29, 12:59:38, Serial0/1/0

S 172.24.157.226/32 [1/0] via 98.x.x.1

Now if I ping from 172.25.154.1 to 172.24.157.226 the vpn comes up.

Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

Hmmm, that seems a bit weird.

Have you got this working now or is there still things to sort out ?

Edit - sorry i was a bit quick. This post applies to your comment on the crypto map placement not the vpn coming up.

Perhaps IM would be a good idea after all :-)

Jon

Green

Re: IOS to IOS vpn + policy based routing

I thought it was sorted out....now I'm trying the ping again and it is not working. I swear it was working 2 minutes ago.

Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

Adam

Can you post the config you are working with on the 2800 at the moment ?

Are you trying PBR or are you relying on the static routes ?

Can you also post output of a "sh ip route" from 2800.

I really think the crypto map should be placed on the fa0/1 interface assuming i have understood your topology correctly.

Jon

Green

Re: IOS to IOS vpn + policy based routing

Jon, the crypto is applied to fa0/1. I must have misposted before. I am not using pbr right now, just the static. I'll get you the whole config shortly. Thanks.

Green

Re: IOS to IOS vpn + policy based routing

2800 config and show ip route attached.

Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

Adam

There is no route to the peer address 66.x.x.1xx so the router does not know how to get there. That would also explain why when you tried to add a static route with that as the next-hop the router wouldn't add it.

Do you know where the 66.x.x.1xx peer is in relation to the next-hop IP of 98.x.x.1 ?

Jon

Green

Re: IOS to IOS vpn + policy based routing

Bingo! Weird because phase was looked like it was actually coming up.

I added...

ip route 66.x.x.1xx 255.255.255.255 98.x.x.1

and it's working. Many thanks!

Hall of Fame Super Blue

Re: IOS to IOS vpn + policy based routing

Adam

Glad we got there in the end !.

You would probably be able to revert back to PBR if you wanted but maybe if it's working...

Many thanks for the ratings.

Jon

228
Views
5
Helpful
23
Replies
CreatePlease to create content