Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN route to remote subnet

I have configured a 1921 with 2 Dialer interfaces, Dialer1 (SDSL) and Dialer3 (ADSL).

Default route is via Dialer3, Lan-to-lan IPSEC and remote users have to connect through Dialer1.

Problem is that I have to add static route to Dialer1 for remote subnet for lan-to-lan IPSECs and route to remote WAN IP for remote access.

 

 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr aes
 authentication pre-share
!
crypto isakmp policy 4
 encr 3des
 authentication pre-share
 lifetime 28800
crypto isakmp key REMOVED address Remote1
crypto isakmp key REMOVED address Remote2
crypto isakmp key REMOVED address Remote3
crypto isakmp key REMOVED address Remote4
crypto isakmp key REMOVED address Remote5
!
crypto isakmp client configuration group MVPN
 key REMOVED
 dns 192.168.1.1
 wins 192.168.1.1
 domain domain.local
 pool ipvpnpool
 acl 105
crypto isakmp profile vpnclient
   match identity group MVPN
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set phase2Remote3 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set VPNClientSet esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto dynamic-map dynmap 10
 set transform-set VPNClientSet
 set isakmp-profile vpnclient
 reverse-route
!
!
crypto map MyMap 1 ipsec-isakmp
 set peer REMOVED
 set security-association lifetime seconds 86400
 set transform-set MySet
 match address cryptoRemote1
crypto map MyMap 2 ipsec-isakmp
 set peer REMOVED
 set security-association lifetime seconds 86400
 set transform-set MySet
 match address cryptoRemote2
crypto map MyMap 3 ipsec-isakmp
 set peer REMOVED
 set security-association lifetime seconds 86400
 set transform-set phase2Remote3
 match address cryptoRemote3
crypto map MyMap 4 ipsec-isakmp
 set peer REMOVED
 set security-association lifetime seconds 86400
 set transform-set MySet
 match address cryptoRemote4
crypto map MyMap 5 ipsec-isakmp
 set peer REMOVED
 set security-association lifetime seconds 28800
 set transform-set MySet
 match address cryptoRemote5
crypto map MyMap 20 ipsec-isakmp dynamic dynmap

interface GigabitEthernet0/0
 description Data VLAN
 ip address 192.168.1.252 255.255.255.0 secondary
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface GigabitEthernet0/1
 description Voice VLAN
 ip address 192.168.101.254 255.255.255.0
 ip tcp adjust-mss 1452
!

interface Dialer1
 description SDSL
 mtu 1492
 ip address WAN IP REMOVED
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username REMOVED
 no cdp enable
 crypto map MyMap
!
interface Dialer2
 description 2ndPVC
 mtu 1492
 ip unnumbered GigabitEthernet0/1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation ppp
 dialer pool 2
 dialer-group 2
 ppp authentication pap callin
 ppp pap sent-username REMOVED
 no cdp enable
!
interface Dialer3
 description ADSL
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 3
 dialer-group 3
 ppp authentication pap callin
 ppp pap sent-username REMOVED
 no cdp enable
!
ip local pool ipvpnpool 172.16.1.1 172.16.1.50
ip local policy route-map pbrSDSL
!
ip nat inside source list natRules interface Dialer3 overload
ip nat inside source static tcp 192.168.1.1 1723 interface Dialer3 1723
ip route 0.0.0.0 0.0.0.0 Dialer3
ip route 0.0.0.0 0.0.0.0 Dialer1 252
ip route 10.0.5.0 255.255.255.0 Dialer1
ip route REMOTE IP MOBILE VPN USER 255.255.255.255 Dialer1
ip route 192.168.2.0 255.255.255.0 Dialer1
ip route 192.168.3.0 255.255.255.0 Dialer1
ip route 192.168.99.0 255.255.255.0 Dialer2
ip route 192.168.100.0 255.255.255.0 Dialer1
ip route 192.168.103.0 255.255.255.0 Dialer2
!
ip access-list extended cryptoRemote1
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended cryptoRemote2
 permit ip 192.168.1.0 0.0.0.255 10.0.5.0 0.0.0.255
ip access-list extended cryptoRemote3
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended cryptoRemote4
 permit ip 192.168.1.0 0.0.0.255 10.0.20.0 0.0.0.255
ip access-list extended cryptoRemote5
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended natRules
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.0.5.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.0.20.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended pbrSDSL
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 10.0.5.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
!
access-list 105 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map pbrSDSL permit 10
 match ip address pbrSDSL
 set interface Dialer1
!

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

So you only have one default

So you want the VPN clients to use the interface that is not the one with the active default route and of course the VPN client public IP could be anything so adding host routes for each client simply isn't pratical.

A possible solution may be to use PBR.

It looks from your configuration that your client VPNs use private addressing so you could apply PBR to the LAN interface matching the source IPs and then setting the next hop interface to be the correct one.

Your config does have PBR and it looks like this is what you my be trying to do but you haven't applied it to the LAN interface ie. you have - 

"ip local policy route-map pbrSDSL"

but this only applies to traffic generated by the router itself not traffic passing through it.

Is that what the PBR configuration is for ?

Jon

5 REPLIES
Hall of Fame Super Blue

Problem is that I have to add

Problem is that I have to add static route to Dialer1 for remote subnet for lan-to-lan IPSECs and route to remote WAN IP for remote access.

Not sure i understand what the exact problem is.

If your default route does not point out of the interface that your VPNs are on then you will have to use routes to point via the right interface.

Why is that a problem ?

Jon

New Member

For lan-to-lan it's not

For lan-to-lan it's not really a problem (although we never had to do this in cisco 800-series).

For the mobile vpn clients it is. Remote clients connecting to Dialer1, packets are send out through Dialer3 if I don't add ip route [REMOTE WAN IP MOBILE VPN USER] 255.255.255.255 Dialer1 specifically.

In the VPN client packets Encrypting is counting, Decrypted stays 0 without the ip route command.

Hall of Fame Super Blue

So you only have one default

So you want the VPN clients to use the interface that is not the one with the active default route and of course the VPN client public IP could be anything so adding host routes for each client simply isn't pratical.

A possible solution may be to use PBR.

It looks from your configuration that your client VPNs use private addressing so you could apply PBR to the LAN interface matching the source IPs and then setting the next hop interface to be the correct one.

Your config does have PBR and it looks like this is what you my be trying to do but you haven't applied it to the LAN interface ie. you have - 

"ip local policy route-map pbrSDSL"

but this only applies to traffic generated by the router itself not traffic passing through it.

Is that what the PBR configuration is for ?

Jon

New Member

Yes Jon, your assumption is

Yes Jon, your assumption is correct.

All VPN traffic should go over dialer1, the rest of the traffic should use Dialer3

Applying ip policy route-map pbrSDSL to interface GigabitEthernet0/0 is all I need to do?

Hall of Fame Super Blue

Applying ip policy route-map

Applying ip policy route-map pbrSDSL to interface GigabitEthernet0/0 is all I need to do?

Yes, if your PBR acl is just for VPN traffic then apply it to the interface and it should work.

Jon

105
Views
0
Helpful
5
Replies