Integrating DMVPN with PBR and client-to-site VPN

desmond.liew · ‎08-03-2011

Hi All,

I have a DMVPN setup between multiple countries. Two of these countries are China and Hong Kong. Another reason for the DMVPN is to route Internet bound traffic for the China users to Hong Kong. So, I used PBR to achieve that. The PBR is also used to selectively route some traffic out of China (cerrtain banking sites needs that). The next hurdle (and a new requirement) is that they need client-to-site VPN using Cisco VPN client using EZVPN. it seems that during my test, I am able to connect in but not able to ping anything internal so I suspect that my PBR is routing my return traffic to Hong Kong and not out via that China router I am VPN'ing to.

I thought of redistributing the default route from Hong Kong to China. But how do I selectively pick certain destinations to surf out of that China router? (scratches my head)

Sent from Cisco Technical Support iPhone App

Marcin Latosiewicz · ‎08-04-2011

Desmond,

Are you using reverse route injection (RRI) or DVTI setup?

Nromally when you connect to ezvpn (with RRI or DVTI) the router installs a /32 host route for return traffic.

If you're suspecting that the taffic is being routed incorrectly due to PBR you might need to exclude ezvpn users from PBR.

If you do want to apply particular rules later for ezvpn users, the best would be to use DVTI setup and apply PBR on the virtual-template interface.

BTW if I'm saying something odd, it's because I might not be having a full view of the problem, maybe a drawing could help? :-)

Marcin