Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1706
Views
0
Helpful
5
Replies

VPN route to remote subnet

Go to solution
Jan Kamper
Level 1
Level 1

‎04-08-2014 03:47 AM - edited ‎03-04-2019 10:45 PM

I have configured a 1921 with 2 Dialer interfaces, Dialer1 (SDSL) and Dialer3 (ADSL).

Default route is via Dialer3, Lan-to-lan IPSEC and remote users have to connect through Dialer1.

Problem is that I have to add static route to Dialer1 for remote subnet for lan-to-lan IPSECs and route to remote WAN IP for remote access.

 

 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr aes
 authentication pre-share
!
crypto isakmp policy 4
 encr 3des
 authentication pre-share
 lifetime 28800
crypto isakmp key REMOVED address Remote1
crypto isakmp key REMOVED address Remote2
crypto isakmp key REMOVED address Remote3
crypto isakmp key REMOVED address Remote4
crypto isakmp key REMOVED address Remote5
!
crypto isakmp client configuration group MVPN
 key REMOVED
 dns 192.168.1.1
 wins 192.168.1.1
 domain domain.local
 pool ipvpnpool
 acl 105
crypto isakmp profile vpnclient
   match identity group MVPN
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set phase2Remote3 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set VPNClientSet esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto dynamic-map dynmap 10
 set transform-set VPNClientSet
 set isakmp-profile vpnclient
 reverse-route
!
!
crypto map MyMap 1 ipsec-isakmp
 set peer REMOVED
 set security-association lifetime seconds 86400
 set transform-set MySet
 match address cryptoRemote1
crypto map MyMap 2 ipsec-isakmp
 set peer REMOVED
 set security-association lifetime seconds 86400
 set transform-set MySet
 match address cryptoRemote2
crypto map MyMap 3 ipsec-isakmp
 set peer REMOVED
 set security-association lifetime seconds 86400
 set transform-set phase2Remote3
 match address cryptoRemote3
crypto map MyMap 4 ipsec-isakmp
 set peer REMOVED
 set security-association lifetime seconds 86400
 set transform-set MySet
 match address cryptoRemote4
crypto map MyMap 5 ipsec-isakmp
 set peer REMOVED
 set security-association lifetime seconds 28800
 set transform-set MySet
 match address cryptoRemote5
crypto map MyMap 20 ipsec-isakmp dynamic dynmap

interface GigabitEthernet0/0
 description Data VLAN
 ip address 192.168.1.252 255.255.255.0 secondary
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface GigabitEthernet0/1
 description Voice VLAN
 ip address 192.168.101.254 255.255.255.0
 ip tcp adjust-mss 1452
!

interface Dialer1
 description SDSL
 mtu 1492
 ip address WAN IP REMOVED
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username REMOVED
 no cdp enable
 crypto map MyMap
!
interface Dialer2
 description 2ndPVC
 mtu 1492
 ip unnumbered GigabitEthernet0/1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation ppp
 dialer pool 2
 dialer-group 2
 ppp authentication pap callin
 ppp pap sent-username REMOVED
 no cdp enable
!
interface Dialer3
 description ADSL
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 3
 dialer-group 3
 ppp authentication pap callin
 ppp pap sent-username REMOVED
 no cdp enable
!
ip local pool ipvpnpool 172.16.1.1 172.16.1.50
ip local policy route-map pbrSDSL
!
ip nat inside source list natRules interface Dialer3 overload
ip nat inside source static tcp 192.168.1.1 1723 interface Dialer3 1723
ip route 0.0.0.0 0.0.0.0 Dialer3
ip route 0.0.0.0 0.0.0.0 Dialer1 252
ip route 10.0.5.0 255.255.255.0 Dialer1
ip route REMOTE IP MOBILE VPN USER 255.255.255.255 Dialer1
ip route 192.168.2.0 255.255.255.0 Dialer1
ip route 192.168.3.0 255.255.255.0 Dialer1
ip route 192.168.99.0 255.255.255.0 Dialer2
ip route 192.168.100.0 255.255.255.0 Dialer1
ip route 192.168.103.0 255.255.255.0 Dialer2
!
ip access-list extended cryptoRemote1
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended cryptoRemote2
 permit ip 192.168.1.0 0.0.0.255 10.0.5.0 0.0.0.255
ip access-list extended cryptoRemote3
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended cryptoRemote4
 permit ip 192.168.1.0 0.0.0.255 10.0.20.0 0.0.0.255
ip access-list extended cryptoRemote5
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended natRules
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.0.5.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.0.20.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended pbrSDSL
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 10.0.5.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
!
access-list 105 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map pbrSDSL permit 10
 match ip address pbrSDSL
 set interface Dialer1
!

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jan Kamper

‎04-08-2014 11:19 PM

So you want the VPN clients to use the interface that is not the one with the active default route and of course the VPN client public IP could be anything so adding host routes for each client simply isn't pratical.

A possible solution may be to use PBR.

It looks from your configuration that your client VPNs use private addressing so you could apply PBR to the LAN interface matching the source IPs and then setting the next hop interface to be the correct one.

Your config does have PBR and it looks like this is what you my be trying to do but you haven't applied it to the LAN interface ie. you have - 

"ip local policy route-map pbrSDSL"

but this only applies to traffic generated by the router itself not traffic passing through it.

Is that what the PBR configuration is for ?

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-08-2014 06:46 AM

Problem is that I have to add static route to Dialer1 for remote subnet for lan-to-lan IPSECs and route to remote WAN IP for remote access.

Not sure i understand what the exact problem is.

If your default route does not point out of the interface that your VPNs are on then you will have to use routes to point via the right interface.

Why is that a problem ?

Jon

0 Helpful

Go to solution
Jan Kamper
Level 1
Level 1
In response to Jon Marshall

‎04-08-2014 08:01 AM

For lan-to-lan it's not really a problem (although we never had to do this in cisco 800-series).

For the mobile vpn clients it is. Remote clients connecting to Dialer1, packets are send out through Dialer3 if I don't add ip route [REMOTE WAN IP MOBILE VPN USER] 255.255.255.255 Dialer1 specifically.

In the VPN client packets Encrypting is counting, Decrypted stays 0 without the ip route command.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jan Kamper

‎04-08-2014 11:19 PM

So you want the VPN clients to use the interface that is not the one with the active default route and of course the VPN client public IP could be anything so adding host routes for each client simply isn't pratical.

A possible solution may be to use PBR.

It looks from your configuration that your client VPNs use private addressing so you could apply PBR to the LAN interface matching the source IPs and then setting the next hop interface to be the correct one.

Your config does have PBR and it looks like this is what you my be trying to do but you haven't applied it to the LAN interface ie. you have - 

"ip local policy route-map pbrSDSL"

but this only applies to traffic generated by the router itself not traffic passing through it.

Is that what the PBR configuration is for ?

Jon

0 Helpful

Go to solution
Jan Kamper
Level 1
Level 1
In response to Jon Marshall

‎04-08-2014 11:19 PM

Yes Jon, your assumption is correct.

All VPN traffic should go over dialer1, the rest of the traffic should use Dialer3

Applying ip policy route-map pbrSDSL to interface GigabitEthernet0/0 is all I need to do?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jan Kamper

‎04-09-2014 03:33 AM

Applying ip policy route-map pbrSDSL to interface GigabitEthernet0/0 is all I need to do?

Yes, if your PBR acl is just for VPN traffic then apply it to the interface and it should work.

Jon

0 Helpful
Customers Also Viewed These Support Documents