10-20-2013 11:05 PM
We have a Cisco IOS router with two DSL connections. One of them is intended for general traffic (ADSL), the other for VPN links (BDSL) and various other traffic.
The default route is the ADSL link, and we have a combination of static routes for the VPN traffic, and policy routes for other traffic types that should go out the BDSL link.
For site to site traffic, this is fine, we just static route the public IPs and remote networks out of the BDSL line.
The policy based routing also works fine for any outgoing internal traffic that matches an ACL.
The problem is now that there are remote VPN sites originating from dynamic addresses, so we cannot use static routes. The replies to incoming ISAKMP requests are following the default route out of the ADSL (despite there being no crypto map on that interface).
I want to route the outgoing VPN traffic out of the BDSL. I have tried adding udp/500 and esp to and from any to the route-map acl that pushes traffic out of the BDSL line, but it doesn't match, presumably because the route-map happen earlier than the IPSec stuff.
Any ideas how I can do this?
Thanks,
Paul
IOS ver: 12.4.13T.
10-21-2013 01:33 AM
Paul,
You're running a bit older IOS, but this should still apply:
http://www.cisco.com/image/gif/paws/116278/116278-configure-pbr-00.pdf
It explains how PBR and local policy apply to IKE/IPsec.
M.
10-21-2013 06:00 PM
Aah, thanks local policy was the bit I was missing.
I have it set up, but it doesn't quite work:
ip local policy route-map local-policy route-map local-policy, permit, sequence 10 Match clauses: ip address (access-lists): local-policy Set clauses: ip next-hop 139.130.72.105 Policy routing matches: 128 packets, 0 bytes
#sh access-list local-policy Extended IP access list local-policy20 permit esp any any
30 permit ip any host 123.209.169.31 log (3 matches)
40 permit udp any eq isakmp any eq isakmp log (172 matches)
50 permit udp any any eq non500-isakmp
With the above setup, the VPN to 123.209.169.31 will establish. IPSec looks good, packets encap and decap. But packets from the head-end to the remote site do not get there.
If I add
ip route 123.209.169.31 255.255.255.255 139.130.72.105
Then the packets are returned. I have turned off cef just in case. The 123.209.169.31 address is dynamic, just in the access-list for testing, and will be removed once I get this working. But what can override the local policy route? It is like the isakmp packets are respecting the policy route, but ESP is not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide