Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
1
Replies

Integrating DMVPN with PBR and client-to-site VPN

desmond.liew
Level 1
Level 1

‎08-03-2011 06:19 PM - edited ‎02-21-2020 05:29 PM

Hi All,

I have a DMVPN setup between multiple countries. Two of these countries are China and Hong Kong. Another reason for the DMVPN is to route Internet bound traffic for the China users to Hong Kong. So, I used PBR to achieve that. The PBR is also used to selectively route some traffic out of China (cerrtain banking sites needs that). The next hurdle (and a new requirement) is that they need client-to-site VPN using Cisco VPN client using EZVPN. it seems that during my test, I am able to connect in but not able to ping anything internal so I suspect that my PBR is routing my return traffic to Hong Kong and not out via that China router I am VPN'ing to.

I thought of redistributing the default route from Hong Kong to China. But how do I selectively pick certain destinations to surf out of that China router? (scratches my head)

Sent from Cisco Technical Support iPhone App

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎08-04-2011 04:25 AM

Desmond,

Are you using reverse route injection (RRI) or DVTI setup?

Nromally when you connect to ezvpn (with RRI or DVTI) the router installs a /32 host route for return traffic.

If you're suspecting that the taffic is being routed incorrectly due to PBR you might need to exclude ezvpn users from PBR.

If you do want to apply particular rules later for ezvpn users, the best would be to use DVTI setup and apply PBR on the virtual-template interface.

BTW if I'm saying something odd, it's because I might not be having a full view of the problem, maybe a drawing could help? :-)

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents