Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

routing over VPN between 2 sites

Hi

I have 2 sites, they are connected via an MPLS service.

I have a statement on both of them that creates a vpn tunnel using cryptomaps, the peer address is the providers MPLS address of the router for each site.

my question is, when I do the match address statement, then put the traffic I want to be encrypted in my access list, does this traffic automatically get routed to the peer address I set using the set peer command?

or do I also need an IP route for this?

please help

Carl

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

routing over VPN between 2 sites

Hello Carl,

you may need static routes in order to have traffic to be encrypted to be sent out the interface on which you have applied the crypto map.

Traffic before is encrypted has to be routed from the internal interfaces to the MPLS facing interface.

So the destination IP subnets of the remote end need routing entries in IP routing table with outgoing interface = MPLS interface to work correctly.

The MPLS service provider has to provide IP routing services between the IPSec peer addresses both local and remote.

In some cases a simple default static route pointing to the MPLS interface can be enough and can be already in place.

Hope to help

Giuseppe

4 REPLIES
Hall of Fame Super Silver

routing over VPN between 2 sites

Hello Carl,

you may need static routes in order to have traffic to be encrypted to be sent out the interface on which you have applied the crypto map.

Traffic before is encrypted has to be routed from the internal interfaces to the MPLS facing interface.

So the destination IP subnets of the remote end need routing entries in IP routing table with outgoing interface = MPLS interface to work correctly.

The MPLS service provider has to provide IP routing services between the IPSec peer addresses both local and remote.

In some cases a simple default static route pointing to the MPLS interface can be enough and can be already in place.

Hope to help

Giuseppe

New Member

routing over VPN between 2 sites

but I thought when doing the match address it would automatically send to the ip where you have done the set peer ?

Hall of Fame Super Silver

Re: routing over VPN between 2 sites

Hello Carl,

routing is needed to reach the interface where the crypto map is applied. The encrypted traffic has destination= peer address so at second iteration traffic is routed to peer address.

If no default route exists on the node, the router simply does not know that the traffic before encryption should exit via that interface.

If a default route exists in the node and uses the same interface where the crypto map is applied, no additional routes are needed.

Hope to help

Giuseppe

routing over VPN between 2 sites

hi Carl,

do you really require to encrypt traffic? A service provider which offers L3VPN service or any MPLS-based service is already isolating your traffic from the rest of the world by means of VRF and dedicated redistribution over the BGP-MPLS platform up to the egress router...

Alessio

312
Views
0
Helpful
4
Replies
CreatePlease login to create content