I have a 2821 router which is the head end for many LAN to LAN VPN tunnels. We do not allow split tunneling. All traffic (including Internet traffic) comes down the VPN and is sent out the G0/1 interface to our servers, or to a content filter and out to the Internet.
The default route on is the content filter. All VPN peers and their private subnets have static routes on the 2821. Everything works great.
G0/0 IP: 126.96.36.199/24
G0/1 IP: 172.25.1.100/24
ip route 0.0.0.0 0.0.0.0 172.25.1.1
! L2L VPN peer public IP
ip route 188.8.131.52 255.255.255.248 184.108.40.206
! L2L VPN subnet
ip route 172.29.254.0 255.255.255.0 220.127.116.11
Now I want to configure a remote access (dynamic) VPN tunnels. The RA VPN works just fine if I have static routes installed for the workstation running the client software.
! RA VPN pool
ip route 172.29.253.0 255.255.255.0 18.104.22.168
! RA VPN peer
ip route 22.214.171.124 255.255.255.255 126.96.36.199
The problem is I can't just add a route every time someone wants RA VPN access. This looks like a job for PBR.
I created a map and applied it to the public interface of the router (G0/0) but it does not work.
Thank you for the reply. I tried the route-map on GE0/1 as well and there are no hits on the map.
I am wondering if PBR will not work due to the the IOS order of operations. The router knows to route the IP pool subnet out the G0/0 interface, but not the peer's public IP address. The data must be encrypted/encapsulated before the peer's public IP is put in the IP header, so if IOS handles PBR before encryption this will never work.
According to the "NAT Order of Operations" document that I have seen, policy routing does take place before routing. Can anyone confirm this?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...