Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
0
Helpful
2
Replies

Route router originated VPN traffic out of a different interface to the default route

paul_murphy
Level 1
Level 1

‎10-20-2013 11:05 PM

We have a Cisco IOS router with two DSL connections.  One of them is intended for general traffic (ADSL), the other for VPN links (BDSL) and various other traffic.

The default route is the ADSL link, and we have a combination of static routes for the VPN traffic, and policy routes for other traffic types that should go out the BDSL link.

For site to site traffic, this is fine, we just static route the public IPs and remote networks out of the BDSL line.

The policy based routing also works fine for any outgoing internal traffic that matches an ACL.

The problem is now that there are remote VPN sites originating from dynamic addresses, so we cannot use static routes.  The replies to incoming ISAKMP requests are following the default route out of the ADSL (despite there being no crypto map on that interface).

I want to route the outgoing VPN traffic out of the BDSL.  I have tried adding udp/500 and esp to and from any to the route-map acl that pushes traffic out of the BDSL line, but it doesn't match, presumably because the route-map happen earlier than the IPSec stuff.

Any ideas how I can do this?

Thanks,

Paul

IOS ver: 12.4.13T.

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-21-2013 01:33 AM

Paul,

You're running a bit older IOS, but this should still apply:

http://www.cisco.com/image/gif/paws/116278/116278-configure-pbr-00.pdf

It explains how PBR and local policy apply to IKE/IPsec.

M.

0 Helpful

paul_murphy
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-21-2013 06:00 PM

Aah, thanks local policy was the bit I was missing.

I have it set up, but it doesn't quite work:

ip local policy route-map local-policy

route-map local-policy, permit, sequence 10
  Match clauses:
    ip address (access-lists): local-policy
  Set clauses:
    ip next-hop 139.130.72.105
  Policy routing matches: 128 packets, 0 bytes


#sh access-list local-policy
Extended IP access list local-policy

    20 permit esp any any
    30 permit ip any host 123.209.169.31 log (3 matches)
    40 permit udp any eq isakmp any eq isakmp log (172 matches)
    50 permit udp any any eq non500-isakmp

With the above setup, the VPN to 123.209.169.31 will establish.  IPSec looks good, packets encap and decap.  But packets from the head-end to the remote site do not get there.

If I add

    ip route  123.209.169.31 255.255.255.255  139.130.72.105

Then the packets are returned.  I have turned off cef just in case.  The  123.209.169.31 address is dynamic, just in the access-list for testing, and will be removed once I get this working.  But what can override the local policy route?  It is like the isakmp packets are respecting the policy route, but ESP is not.


  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents