Re: IPsec Ikev1 policy based VPN

umeshunited · ‎09-18-2019

Hello ,

My understanding of Policy based VPN is that it uses ACL rather than routing table to check for interesting traffic.

I have attached a diagram and configuration.

Topology :

Host1 <--> R1<--> ISP<-->R3<-->Host2.

My question is that why do I need to have the Host2 route on R1 ( in form of static or default) to make it work?

If I remove default route or static route ( for Host2) from R1 I won't be able to reach Host2 from Host1 through the tunnel.

Rob Ingram · ‎09-18-2019

Hi,
You would normally have a default route on the router pointing to the next hop for all traffic, so therefore you would not need to define a static route just for the VPN traffic. As you don't have a default route, you require the specific static routes in order to route the "interesting traffic" to the outside interface, at which point it will be encrypted and routed over the tunnel.

FYI, Cisco consider this type of VPN (Policy based/Crypto Map) legacy, recommend using route based VPN such as FlexVPN or DMVPN.

HTH

umeshunited · ‎09-19-2019

Thanks RJI ,

I believe for a router, routing will be checked first before applying IPsec. And It was failing at route lookup as there was no route to the destination so packet was dropped there itself.

Please correct me if I am wrong.

Rob Ingram · ‎09-19-2019

Without a route the packet would not be routed to the outside interface (where the crypto map was applied) and then match the interesting traffic ACL before being encapsulated and transmitted over the tunnel.