Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1329
Views
0
Helpful
3
Replies

VPN over secondary route interface

hrmilo
Level 1
Level 1

‎05-17-2018 04:35 PM - edited ‎03-12-2019 05:18 AM

Cisco 2911 with SLA controlling the default route between a primary ISP A interface and a failover secondary ISP B interface.  I wish to allow PPTP VPN connections to the router on either interface, but the local router traffic responding to attempts coming in on interface B seem to be routing out the primary interface A so the VPN handshake never begins.   I need a way to tag that VPN traffic coming in on interface B so that I can apply a policy-route to make sure the responses go out interface B.  I was thinking maybe a class-map to tag the traffic and then somehow using that tag in a policy-map or route-map solution....Has any body wrestled with a similar issue and come up with a solution?

Labels:
0 Helpful
3 Replies 3

hrmilo
Level 1
Level 1

‎05-17-2018 05:11 PM

I think I just had an idea. Maybe I can NAT the traffic coming in on B to a known pool of addresses and then use a route-map to set responses to these addresses to go out interface B.

The NATing of VPN tunnels probably has issues to overcome though.

I will have to look into this...

 

0 Helpful

Georg Pauwen
VIP
VIP

‎05-18-2018 12:27 PM

Hello,

 

can you post the configuration of your 2911 ? Since you have failover configured, routing should happen automatically...

0 Helpful

hrmilo
Level 1
Level 1
In response to Georg Pauwen

‎05-20-2018 07:40 PM

Thanks for the interest.

If I put a static route back to the PPTP client and force it over the secondary interface I can get it working. But this is an unreasonable solution.

 

In a separate conversation somebody suggested I should not need the static routes to my SLA ping targets, but without those routes I will get a timeout on SLA 4 (my secondary/failover).

And without the static route I cannot perform a "ping ip 36.36.36.36 source 70.70.70.85".  I get timeouts.

So, overall, any traffic I try to source from the secondary interface or any responses I expect when I hit that interface (i.e. my PPTP VPN connects)  are in fact NOT going out that interface bbut are taking the normal routing decision process....I can force these things with PBR route-maps, but should I HAVE to? I wonder if IP CEF is getting in the way?

 

Here is my config.  Real IPs have been changed to protect the innocent...

 

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default if-authenticated
!
!
aaa session-id common
ppp packet throttle 20 1 5
!
no ip source-route
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
 ! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
redundancy
!
!
track 4 ip sla 4 reachability
 delay down 75 up 180
!
track 5 ip sla 5 reachability
 delay down 75 up 180
!
!
bridge crb
!
interface Loopback0
 description Always Up interface for PPTP ET. AL.
 ip address 10.10.16.254 255.255.255.0
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Intranet
 ip address 10.10.9.254 255.255.240.0
 ip access-group Inside-Out in
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map Outgoing
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Charter Primary
 ip address 50.50.50.34 255.255.255.252
 ip access-group Outside-In2 in
 ip nat outside
 ip virtual-reassembly in max-reassemblies 1000
 duplex auto
 speed auto
 service-policy output VOIP
!
interface GigabitEthernet0/0/0
 description ATT Dedicated Circuit
 ip address 70.70.70.86 255.255.255.252
 ip access-group Outside-In3 in
 ip nat outside
 ip virtual-reassembly in max-reassemblies 1000
 negotiation auto
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip nat inside
 no ip virtual-reassembly in
 ip policy route-map Outgoing
 peer default ip address pool PPTPPool
 no keepalive
 compress mppc
 ppp max-terminate 10
 ppp max-bad-auth 3
 ppp mtu adaptive
 ppp pfc remote reject
 ppp acfc remote reject
 ppp encrypt mppe auto
 ppp caller name WHODAT
 ppp authentication ms-chap-v2
 ppp direction dedicated
 ppp ncp passive ipcp
!
!
router rip
 version 2
 passive-interface GigabitEthernet0/1
 passive-interface GigabitEthernet0/2
 passive-interface GigabitEthernet0/0/0
 passive-interface Loopback0
 passive-interface Loopback1
 passive-interface Tunnel12
 passive-interface Tunnel13
 passive-interface Tunnel17
 network 10.0.0.0
!
ip local policy route-map localpolicy
ip local pool PPTPPool 10.10.16.2 10.10.16.32
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map Dedicated interface GigabitEthernet0/0/0 overload
ip nat inside source route-map Charter interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 50.50.50.33 10 track 4
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 70.70.70.85 5 track 5
ip route 0.0.0.0 0.0.0.0 70.70.70.85 20 permanent
ip route 92.92.92.92 255.255.255.255 GigabitEthernet0/1 50.50.50.33 permanent
ip route 36.36.36.36 255.255.255.255 GigabitEthernet0/0/0 70.70.70.85 permanent
!
ip access-list extended Inside-Out
 permit ip any any
!
ip access-list extended Outside-In2
 remark ICMP control to-from ISP router
 permit icmp host 50.50.50.33 host 50.50.50.34
 remark Next 3 allows traffic initiated from inside
 permit udp any any reflect udpreflect timeout 300
 permit icmp any any reflect icmpreflect timeout 300
 permit tcp any any established
 remark Next 2 allows PPTP VPN
 permit gre any host 50.50.50.34
 permit tcp any host 50.50.50.34 eq 1723
 deny   ip any any log
!
ip access-list extended Outside-In3
 remark ICMP control to-from ISP router
 permit icmp host 70.70.70.85 host 70.70.70.86
 remark Next 3 allows traffic initiated from inside
 permit udp any any reflect udpreflect timeout 300
 permit icmp any any reflect icmpreflect timeout 300
 permit tcp any any established
 remark Next 2 Allow PPTP VPN traffic
 permit gre any host 70.70.70.86
 permit tcp any host 70.70.70.86 eq 1723
 deny   ip any any log
!
ip sla 4
 icmp-echo 92.92.92.92 source-interface GigabitEthernet0/1
 threshold 500
 timeout 3000
 frequency 30
ip sla schedule 4 life forever start-time now
ip sla 5
 icmp-echo 36.36.36.36 source-interface GigabitEthernet0/0/0
 threshold 500
 timeout 3000
 frequency 30
ip sla schedule 5 life forever start-time now
!
route-map Outgoing permit 5
 match ip address 111
 set interface Tunnel17
!
route-map Charter permit 10
 match ip address 110
 match interface GigabitEthernet0/1
!
route-map Dedicated permit 10
 match ip address 110
 match interface GigabitEthernet0/0/0
!
route-map localpolicy permit 10
 match ip address 112
 set interface Tunnel17
!
access-list 110 permit ip 10.10.0.0 0.0.255.255 any
access-list 111 permit ip 10.10.16.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 111 permit ip 10.10.8.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 111 deny   ip any any
access-list 112 permit ip host 10.10.16.254 20.20.20.0 0.0.0.255
access-list 112 deny   ip any any
!
!
control-plane
!
bridge 1 protocol ieee
!


0 Helpful
Customers Also Viewed These Support Documents