I am trying to forward IPsec traffic to the internet from my outside interface and I am having difficulty with configuring my router. I confirmed from the tunnel is operational on phase one and phase two and had a device on the opposite end traceroute to an internet address which shows traffic stops on my end of the tunnel. I believe I am not correctly configuring either routing or an ACL. Please see my config below.
crypto map TUNNEL-CMAP 40 ipsec-isakmp
set peer 22.214.171.124
set transform-set TS
match address 172
ip address 172.31.250.2 255.255.255.252
tunnel source 126.96.36.199
tunnel destination 188.8.131.52
no ip address
ip nat outside
ip address 184.108.40.206 255.255.255.248
ip nat outside
crypto map TUNNEL-CMAP
router bgp 11111
neighbor 172.31.250.1 remote-as 6167
neighbor 172.31.250.1 default-originate
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat interface GigabitEthernet0/2 overload
ip nat inside source route-map nonat interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 220.127.116.11
ip access-list extended nat
permit ip 192.168.100.0 0.0.0.255 any
access-list 172 permit gre host 18.104.22.168 host 22.214.171.124
Ipsec is config under gre tunnel with
and this crypto ipsec profile not need acl because it is route based not policy based.
the traffic that will forward via gre will protect with ipsec
The IPsec VPN traffic flows from the 126.96.36.199 side to the 188.8.131.52 of the tunnel but I do not know how to configure to go out the 184.108.40.206 gateway. The GRE tunnel is working as BGP is functional.
between these two router there is :-
we config BGP between the two routers.
R2 (ISP) advertise default route to R1,
there is GRE between R1-R2,
that make us in other situation,
we must allow BGP through the GRE here.
and this will make default route toward tunnel not directly toward the R2.
config IPSec under GRE make traffic more secure
May be "NAT Traversal is a feature that is auto detected by VPN devices."
crypto ipsec nat-transparency udp-encapsulation