Hello,

Currently, my company has the need to support a legacy PSK authenticated DMVPN tunnel and a new PKI authenticated DMVPN tunnel.  Ideally, both tunnels will terminate on the same Cisco 2951 router.  Since the router is a termination point for the VPN spokes, I would need 2 "default routes".  The source IP addresses of the spokes will be dynamic (personal grade ISP connections).

Both interfaces (and underlying tunnel interfaces) work when I switch the default route from one conncted interface, to the other.

Is it possible to use PBR to force traffic that entered on one interface to exit only on that same interface?

=======================================================================================

Example:

All spoke configs have ISAKMP/IPSec settings to terminate PSK tunnel on 1.1.1.1 and terminate PKI tunnel on 2.2.2.2

1.1.1.1 - NAT'd to 172.25.0.25 by ASA

2.2.2.2 - NAT'd to 172.25.25.20 by ASA

interface Port-channel1.172

description ** PSK Interface **

encapsulation dot1Q 172

ip address 172.25.0.25 255.255.255.0

interface Port-channel1.225

description ** PKI Interface **

encapsulation dot1Q 225

ip address 172.25.25.20 255.255.255.0

Below, only one route is entered at a time.  Interface and underlying tunnel work depending on which default route is added.

ip route 0.0.0.0 0.0.0.0 172.25.0.1  <==== When configured, only the PSK interface accepts VPN tunnel connections

(ip route 0.0.0.0 0.0.0.0 172.25.25.1)  <==== When configured, only the PKI interface accepts VPN tunnel connections

=========================================================================================

- Ideally, all traffic that ingressed on Po1.172 and was destined for an unknown IP (0.0.0.0 0.0.0.0) would forcefully have it's next hop set to 172.25.0.1

- Then, all traffic that ingressed on Po1.225 and was destined for an unknown IP would forcefully have it's next hop set to 172.25.25.1

Is this possible with PBR?