cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6138
Views
46
Helpful
11
Replies

Routing decision IPSEC vs Static Route

snarayanaraju
Level 4
Level 4

Hello Experts - This is a conceptual question. Can you please help me clarifying

 

Two sites are connected using Internet/MPLS link. I have IPSEC VPN configured between the sites. In the interesting traffic ACL I configured Longest prefix (202.51.8.0/24) of the destination.  So, when the Router gets the traffic destined to the other site, it uses Interesting traffic ACL and routes over IPSEC VPN Tunnel.

 

If i configure more specif STATIC routes (Eg: 202.51.8.50, 202,51.8.60), with next-hop as my Internet /MPLS ISP Router,  how the Router will behave on Routing decision for traffic destined to 202.51.8.50 / 202.51.8.60).  Whether it will prefer IPSEC  path or direct Internet/MPLS gateway path?

 

Thanks

Sairam 

 

1 Accepted Solution

Accepted Solutions

Sorry for the delayed response - I have been tied up with some other things. Based on the diagram and the partial config that you posted the answer is that the specific route for 209.100.1.3 does not change how the packet would be processed. The specific route sends the packet out interface Gig0/0 which has the crypto map. The crypto map would evaluate the packet and determine that it did match the access list and the result is that the packet would be encrypted and sent to the remote peer.

 

HTH

 

Rick

HTH

Rick

View solution in original post

11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

First is Specific Static Route.

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jerome BERTHIER
Level 1
Level 1

Hi

 

Routing is applied before crypto and encryption :

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html#topic1

 

So the more specific route is prefered over the IPSEC one.

 

Regards

Jon Marshall
Hall of Fame
Hall of Fame

 

The interesting traffic acl is not a route, it just tells the router which traffic to send via the IPSEC tunnel. 

 

So if the static route next hop is reached via the interface where you have applied the crypto map it will use IPSEC, if not it won't. 

 

Jon

Jon makes a good point that routing and IPSEC are different things. Routing is about how to forward packets and can use either connected routes, static routes, or dynamic routes to identify the outbound interface and the next hop. IPSEC is for encrypting traffic between peers and does not really have anything to do with what is the outbound interface or what is the next hop.

 

Obviously the router had some routing logic in place to forward traffic to the peer router. Perhaps it was a default route, or perhaps a static route for the remote subnet, or perhaps a dynamic route. Then the host specific static routes were added. It is not clear whether the new host specific static routes use the same outbound interface and next hop, but it is logical to assume that they did use the same outbound interface and next hop and in that case adding the host specific routes does not cause any change in behavior for the router.

 

Traditional IPSEC works by having a crypto map assigned to the outbound interface. And the reference in the original post about ACL to identify traffic for IPSEC indicates that this is the approach on this router. Any IP packet going out this interface is evaluated by the ACL. If the packet is permitted by the ACL then this packet is encrypted and sent to the peer. It does not matter what routing logic was used to send the packet through that interface. It could have been a default route, it could have been a route to the remote subnet, or it could have been a host specific static route. The routing logic does not matter, and what does matter is whether the ACL has permitted the packet. So adding the host specific static routes will not change the behavior of IPSEC.

 

HTH

 

Rick 

HTH

Rick

Yes you're right:
- routing and IPSEC crypto map are different process
- crypto map do not care about routing when a packet need to be encrypted
- if the next hop of a route is matching a crypto map, the traffic of this prefix will be included in IPSEC

So if the question is about IPSEC crypto map then you're right, a more precise route won't change the behavior.
But if the question is about IPSEC interface VTI than I disagree because it will be just a routing case between two interfaces and the more specific route will be prefered

Regards

 

Good point about VTI, I have only ever used crypto maps so did not think of that. 

 

Jon

In my previous response I did think about VTI. And I believe that it does not apply in this case. The original post very clearly talks about an ACL for interesting traffic. VTI does not have any ACL for interesting traffic and traditional IPSEC does have an ACL. So I am pretty comfortable believing that we are talking about traditional IPSEC in this discussion. In a more broad discussion about behavior of encrypted traffic it is certainly appropriate to compare behaviors of traditional IPSEC and VTI and to observe that a more specific static route might point at a different exit interface and next hop than the route for the /24 and therefore might cause the traffic to not be encrypted.

 

HTH

 

Rick

HTH

Rick

Thank you everybody for sharing expertise thought. To add more details, here is the configuration and a brief topology diagram.

 

Question: Will the route to destination 209.100.1.3 will route inside IPSEC VPN tunnel or will it egress on interface Gig 0/0 without IPSEC?. Will there be reachability between 103.1.1.0/24 and 209.100.1.3

 

for brevity i show here only the relevant lines of the configuration

 

ROUTER 2

crypto map SECURED 100 ipsec-isakmp

 description ## IPSEC to Router-1##

 set peer 202.0.11.1

 match address INTERESTING-TRAFFIC

 

Extended IP access INTERESTING-TRAFFIC

    10 permit ip 103.1.1.0 0.0.0.255 209.100.1.0 0.0.0.255

 

Interface Gig 0/0

description ##Connected to Internet##

ip address 69.23.49.1 255.255.255.0

crypto map SECURED

 

ip route 209.100.1.3 255.255.255.255 69.23.49.2

Sorry for the delayed response - I have been tied up with some other things. Based on the diagram and the partial config that you posted the answer is that the specific route for 209.100.1.3 does not change how the packet would be processed. The specific route sends the packet out interface Gig0/0 which has the crypto map. The crypto map would evaluate the packet and determine that it did match the access list and the result is that the packet would be encrypted and sent to the remote peer.

 

HTH

 

Rick

HTH

Rick

Thank you Rick. Much appreciated 

Sairam 

 

You are welcome. This has been an interesting discussion. I am glad that our responses have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions that have helpful information.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: