Solved: Re: IOS to IOS vpn + policy based routing - Page 2

acomiskey · ‎11-06-2008

I am looking at the following scenario.

2811

7204

2811 has point to point T1 connection to 7204. Right now all traffic between the 2 networks use this serial link. Both routers also have an ethernet WAN link. I am trying to create a vpn between the 2 routers using the WAN interfaces, but only want specific traffic to flow over the vpn. All other traffic will still use the serial connection.

I tried this last night using policy based routing at the 2811 end. The 2811 default gateway is the 7204 serial interace. I then directed any traffic destined for 172.24.157.225 and 172.24.157.226 out int fa0/1. This would not work, the only way I got traffic to flow over the vpn is if I changed the default gateway to the upstream neighbor on fa0/1. Is what I am trying to do possible?

2811

interface FastEthernet0/0

description Inside Network

ip address 172.24.154.1 255.255.254.0

ip policy route-map vpn_map

duplex auto

speed auto

interface Serial0/1/0

ip address 192.168.10.30 255.255.255.252

interface FastEthernet0/1

description $ES_LAN$

ip address 98.x.x.2 255.255.255.0

duplex auto

speed auto

crypto map mymap

ip route 0.0.0.0 0.0.0.0 192.168.10.29

ip local policy route-map vpn_map

access-list 120 permit ip any host 172.24.157.225

access-list 120 permit ip any host 172.l24.157.226

route-map vpn_map permit 20

match ip address 120

set ip next-hop 98.x.x.1

acomiskey · ‎11-06-2008

OK, here goes.

ip route 172.24.157.226 255.255.255.255 98.x.x.1

Phil_Rtr#show ip route | inc 157

D 172.24.157.0/24 [90/2172416] via 192.168.10.29, 12:59:38, Serial0/1/0

S 172.24.157.226/32 [1/0] via 98.x.x.1

Now if I ping from 172.25.154.1 to 172.24.157.226 the vpn comes up.

Jon Marshall · ‎11-06-2008

Hmmm, that seems a bit weird.

Have you got this working now or is there still things to sort out ?

Edit - sorry i was a bit quick. This post applies to your comment on the crypto map placement not the vpn coming up.

Perhaps IM would be a good idea after all :-)

Jon

acomiskey · ‎11-06-2008

I thought it was sorted out....now I'm trying the ping again and it is not working. I swear it was working 2 minutes ago.

Jon Marshall · ‎11-06-2008

Adam

Can you post the config you are working with on the 2800 at the moment ?

Are you trying PBR or are you relying on the static routes ?

Can you also post output of a "sh ip route" from 2800.

I really think the crypto map should be placed on the fa0/1 interface assuming i have understood your topology correctly.

Jon

acomiskey · ‎11-06-2008

Jon, the crypto is applied to fa0/1. I must have misposted before. I am not using pbr right now, just the static. I'll get you the whole config shortly. Thanks.

acomiskey · ‎11-06-2008

2800 config and show ip route attached.

Jon Marshall · ‎11-06-2008

Adam

There is no route to the peer address 66.x.x.1xx so the router does not know how to get there. That would also explain why when you tried to add a static route with that as the next-hop the router wouldn't add it.

Do you know where the 66.x.x.1xx peer is in relation to the next-hop IP of 98.x.x.1 ?

Jon

acomiskey · ‎11-06-2008

Bingo! Weird because phase was looked like it was actually coming up.

I added...

ip route 66.x.x.1xx 255.255.255.255 98.x.x.1

and it's working. Many thanks!

Jon Marshall · ‎11-06-2008

Adam

Glad we got there in the end !.

You would probably be able to revert back to PBR if you wanted but maybe if it's working...

Many thanks for the ratings.

Jon