08-13-2018 01:33 PM - edited 03-05-2019 10:51 AM
Hello Experts - This is a conceptual question. Can you please help me clarifying
Two sites are connected using Internet/MPLS link. I have IPSEC VPN configured between the sites. In the interesting traffic ACL I configured Longest prefix (202.51.8.0/24) of the destination. So, when the Router gets the traffic destined to the other site, it uses Interesting traffic ACL and routes over IPSEC VPN Tunnel.
If i configure more specif STATIC routes (Eg: 202.51.8.50, 202,51.8.60), with next-hop as my Internet /MPLS ISP Router, how the Router will behave on Routing decision for traffic destined to 202.51.8.50 / 202.51.8.60). Whether it will prefer IPSEC path or direct Internet/MPLS gateway path?
Thanks
Sairam
Solved! Go to Solution.
08-30-2018 10:18 AM
Sorry for the delayed response - I have been tied up with some other things. Based on the diagram and the partial config that you posted the answer is that the specific route for 209.100.1.3 does not change how the packet would be processed. The specific route sends the packet out interface Gig0/0 which has the crypto map. The crypto map would evaluate the packet and determine that it did match the access list and the result is that the packet would be encrypted and sent to the remote peer.
HTH
Rick
08-13-2018 01:58 PM
First is Specific Static Route.
BB
08-14-2018 01:32 AM
Hi
Routing is applied before crypto and encryption :
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html#topic1
So the more specific route is prefered over the IPSEC one.
Regards
08-14-2018 05:02 AM
The interesting traffic acl is not a route, it just tells the router which traffic to send via the IPSEC tunnel.
So if the static route next hop is reached via the interface where you have applied the crypto map it will use IPSEC, if not it won't.
Jon
08-14-2018 09:52 AM
Jon makes a good point that routing and IPSEC are different things. Routing is about how to forward packets and can use either connected routes, static routes, or dynamic routes to identify the outbound interface and the next hop. IPSEC is for encrypting traffic between peers and does not really have anything to do with what is the outbound interface or what is the next hop.
Obviously the router had some routing logic in place to forward traffic to the peer router. Perhaps it was a default route, or perhaps a static route for the remote subnet, or perhaps a dynamic route. Then the host specific static routes were added. It is not clear whether the new host specific static routes use the same outbound interface and next hop, but it is logical to assume that they did use the same outbound interface and next hop and in that case adding the host specific routes does not cause any change in behavior for the router.
Traditional IPSEC works by having a crypto map assigned to the outbound interface. And the reference in the original post about ACL to identify traffic for IPSEC indicates that this is the approach on this router. Any IP packet going out this interface is evaluated by the ACL. If the packet is permitted by the ACL then this packet is encrypted and sent to the peer. It does not matter what routing logic was used to send the packet through that interface. It could have been a default route, it could have been a route to the remote subnet, or it could have been a host specific static route. The routing logic does not matter, and what does matter is whether the ACL has permitted the packet. So adding the host specific static routes will not change the behavior of IPSEC.
HTH
Rick
08-15-2018 02:37 AM
Yes you're right:
- routing and IPSEC crypto map are different process
- crypto map do not care about routing when a packet need to be encrypted
- if the next hop of a route is matching a crypto map, the traffic of this prefix will be included in IPSEC
So if the question is about IPSEC crypto map then you're right, a more precise route won't change the behavior.
But if the question is about IPSEC interface VTI than I disagree because it will be just a routing case between two interfaces and the more specific route will be prefered
Regards
08-15-2018 03:35 AM
Good point about VTI, I have only ever used crypto maps so did not think of that.
Jon
08-15-2018 06:34 AM
In my previous response I did think about VTI. And I believe that it does not apply in this case. The original post very clearly talks about an ACL for interesting traffic. VTI does not have any ACL for interesting traffic and traditional IPSEC does have an ACL. So I am pretty comfortable believing that we are talking about traditional IPSEC in this discussion. In a more broad discussion about behavior of encrypted traffic it is certainly appropriate to compare behaviors of traditional IPSEC and VTI and to observe that a more specific static route might point at a different exit interface and next hop than the route for the /24 and therefore might cause the traffic to not be encrypted.
HTH
Rick
08-16-2018 11:46 AM
Thank you everybody for sharing expertise thought. To add more details, here is the configuration and a brief topology diagram.
Question: Will the route to destination 209.100.1.3 will route inside IPSEC VPN tunnel or will it egress on interface Gig 0/0 without IPSEC?. Will there be reachability between 103.1.1.0/24 and 209.100.1.3
for brevity i show here only the relevant lines of the configuration
ROUTER 2
crypto map SECURED 100 ipsec-isakmp
description ## IPSEC to Router-1##
set peer 202.0.11.1
match address INTERESTING-TRAFFIC
Extended IP access INTERESTING-TRAFFIC
10 permit ip 103.1.1.0 0.0.0.255 209.100.1.0 0.0.0.255
Interface Gig 0/0
description ##Connected to Internet##
ip address 69.23.49.1 255.255.255.0
crypto map SECURED
ip route 209.100.1.3 255.255.255.255 69.23.49.2
08-30-2018 10:18 AM
Sorry for the delayed response - I have been tied up with some other things. Based on the diagram and the partial config that you posted the answer is that the specific route for 209.100.1.3 does not change how the packet would be processed. The specific route sends the packet out interface Gig0/0 which has the crypto map. The crypto map would evaluate the packet and determine that it did match the access list and the result is that the packet would be encrypted and sent to the remote peer.
HTH
Rick
09-04-2018 12:44 PM
Thank you Rick. Much appreciated
09-04-2018 12:48 PM
Sairam
You are welcome. This has been an interesting discussion. I am glad that our responses have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions that have helpful information.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide