Re: VPN hub and spoke

hillegas · ‎12-14-2004

I have a hub and spoke WAN utilizing GRE crypto tunnels from the hub to the spoke sites. I'm using a 7204 in the hub and various other routers on the spoke. In the particular scenario we are having problems, we have an 831 as the spoke obtaining a public IP address from the ISP. The caveat or problem were having is the ISP also provides a default route with this dhcp lease. We do not want to support split tunneling. All traffic, even Internet traffic must traverse through our hub router. We haven't been able to get all traffic from the 831 LAN to traverse through the hub router. I would like to know how we can do this without impacting the GRE/Crypto tunnel. I've tried using policy routing on the internal lan interface and directing all traffic across the GRE tunnel, but the traffic is still traversing the public interface.

Richard Burts · ‎12-14-2004

Do you configure a default route on the 831 pointing to the tunnel as the next hop?

Perhaps if you could post the output of show ip route we could get a better understanding of what is happening and what you can do about it.

HTH

Rick

HTH

Rick

dbellaze · ‎12-14-2004

This is a challenging one. The route the 831 installs will have the best administrative distance from a routing table stand point.

Can you post the PBR config that you tried to use. I would think this is the only way to avoid the default route received from DHCP.

Daniel

d.kratz · ‎12-15-2004

Hi hillegas,

You apply your crypto-map in the physical interface or create a gre interface and apply your crypto-map to this virtual interface?

If you have the second approach you may apply and policy to the inside interface. Some thing like this:

interface FastEthernet 0

ip policy route-map set-default

!

route-map set-default permit 10

match interface FastEthernet 0

set default interface tunnel 1

!

Regards,

Kratz

hillegas · ‎12-16-2004

I utilized the ip route 0.0.0.0 0.0.0.0 null0 and this took care of getting to the public ip address.