Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1261
Views
0
Helpful
1
Replies

Forcing no split-tunnel in remote site IPSec/GRE VPN connection

andrew-kearton
Level 1
Level 1

‎01-22-2017 07:51 PM - edited ‎03-03-2019 08:27 AM

We have a number of remote sites connecting to headends via IPSec encrypted GRE tunnels over the public internet.

Our current configuration works, but we would like to see if there is a better way of handling the no-split tunnel rule.

At the headend site, we have static routes on the VPN Headend router for each of the remote VPN site routers, via the public interface next hop (Outer VPN FW).  The default route on the VPN headend router is via the private interface next hop (Inner VPN FW).

At the remote site, we have a static route to the VPN headend router public interface via the remote VPN router public interface next hop (ISP gateway).  The default route on the remote VPN router is via the GRE tunnel interface next hop.

This works ok, but requires static IP addressing on the Remote VPN router (which is not always possible).  We'd also like to move towards dynamic routing to allow for automatic failover between headends.

I know on the ASA anyconnect product there is the option of having two default routes (with interface specified) and the "tunneled" command to direct tunneled traffic out that default route, but I'm not aware of anything in IOS to achieve that.

Appreciate any suggestions you have!

Labels:
0 Helpful
1 Reply 1

Leonardo Gama
Level 1
Level 1

‎01-24-2017 08:12 AM

Hi Andrew,

A good option is the DMVPN solution, along with BGP inside the tunnels in order to have dynamic routing with failover.

Cheers.

0 Helpful
Customers Also Viewed These Support Documents