Solved: Re: PBR and VTI IPSEC

Jhon Fredy Herrera Osorno · ‎01-07-2022

Hi we are trying to configure PBR with VTI as next-hop interface or ip address, but with no luck.

we see that traffic is matching the PBR and ACL and indeed the traffic is returned according to the statistics of show crypto ipse sa peer x.x.x.x but no get the host response (ping test)

According to this document of nexus is not supported

Configuring Policy Based Routing (cisco.com)

this is the actual config


ip dhcp pool CLIENT_21
host 192.168.3.21 255.255.255.0
hardware-address f832.e4bd.f22a
!
!
!
ip access-list extended LAN-TO-LAN2
permit ip host 192.168.3.21 192.168.10.0 0.0.0.255
deny ip any any
!
route-map PERIFERIA-RM permit 1
match ip address LAN-TO-LAN2
set interface Tunnel10
!
interface Vlan1
ip policy route-map PERIFERIA-RM
!

balaji.bandi · ‎01-07-2022

what is the device you using to configure ?

what is the configuration of vlan 1

can you post show run interface vlan1 and show ip route

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎01-07-2022

what is the device you using to configure ?

what is the configuration of vlan 1

can you post show run interface vlan1 and show ip route

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jhon Fredy Herrera Osorno · ‎01-07-2022

Hi thanks for the replay,.

what is the device you using to configure ?

Cisco C881-K9 - IOS 15.4(1r)T2 with advsecurity

what is the configuration of vlan 1?

IOSFW1#show running-config interface vlan 1
Building configuration...

Current configuration : 228 bytes
!
interface Vlan1
description INSIDE
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast source reachable-via rx
zone-member security INSIDE
ip policy route-map PERIFERIA-RM
end

IOSFW1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Dialer111
169.254.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 169.254.255.0/30 is directly connected, Tunnel10
L 169.254.255.2/32 is directly connected, Tunnel10
172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.17.1.0/24 is directly connected, Loopback0
L 172.17.1.1/32 is directly connected, Loopback0
181.128.0.0/32 is subnetted, 1 subnets
C 181.128.88.95 is directly connected, Dialer111
190.248.0.0/32 is subnetted, 1 subnets
C 190.248.0.245 is directly connected, Dialer111
192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.0/24 is directly connected, Vlan1
L 192.168.3.1/32 is directly connected, Vlan1

IOSFW1#show route-map
route-map PERIFERIA-RM, permit, sequence 1
Match clauses:
ip address (access-lists): LAN-TO-PERIFERIA
Set clauses:
interface Tunnel10
Policy routing matches: 118 packets, 10250 bytes
IOSFW1#show access-list LAN-TO-PERIFERIA
Extended IP access list LAN-TO-PERIFERIA
10 permit ip host 192.168.3.21 172.168.10.0 0.0.0.255 (118 matches)
20 deny ip any any log (295094 matches)

Georg Pauwen · ‎01-07-2022

Hello,

I was just about to ask you for the full running configuration, as there is a Zone Based Firewall involved, which can complicate matters, but I see that the issue has been resolved. Just out of curiosity, how did you resolve this ?

Jhon Fredy Herrera Osorno · ‎01-07-2022

the problem was the command ip verify configured in tunnel 10 interface

IOSFW1#show running-config interface tunnel 10
Building configuration...

Current configuration : 327 bytes
!
interface Tunnel10
description VPN1
ip address 169.254.255.2 255.255.255.252
ip nat inside
ip virtual-reassembly in
ip verify unicast source reachable-via rx
zone-member security VPN
tunnel source Dialer111
tunnel mode ipsec ipv4
tunnel destination X.X.X.X
tunnel protection ipsec profile VPN1-PROFILE
end

Jhon Fredy Herrera Osorno · ‎01-07-2022

hi thanks,

the problem was the command ip verify configured in tunnel 10 interface

Georg Pauwen · ‎01-07-2022

Hello,

great, thanks for sharing the solution !

paul driver · ‎01-07-2022

Hello
That's strict unicast reverse path forwarding (uRPF) and what the rtr does when that’s applied is to check its own routing table against the source address of the packet it has just received and if it finds a match but the interface of that packet source address is different as to the interface it was received on then the rtr will drop that packet..

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul