Thanks for your reply,

Back to this very issue, I think the ideal situation is that the outgoing VPN data (or other data generaly) go back to the interface where they come from. I don't know which feature or functionality Cisco IOS provide can be used, or it is just impossible because the outgoing data are actually generated by router itself.

What's your ISP setup? Separate providers with separate address spaces SWIP'd to you? If that's the case, you'd have to know where your clients come from and manipulate your routing so that traffic to and from them always goes via WAN2.

The ideal setup for this sort of situation is have have your own provider-independent address space (e.g. a /24 or larger) and your VPN headend sits in that behind whatever router(s) move traffic from your PI space into and out of the Internet.

If you don't have that and your router is also your VPN device, you don't have many good options for doing what your original post requests. What's behind your requirement for VPN on one interface and default route out another?

Hi Marvin,

Unfortunately for some reason the two upstream links are from the same ISP with different bandwidth.

But never mind, I totally understand what you said, adding another specific VPN device make things simple, and the above

scenario is not that real, I just want to know how far I can go. Thanks!

One more question, what if I want all the data go to first WAN interface except the VPN data? Assume pptp with VPDN here, I tried local policy routing, but failed:

ip access-list extended pptp-traffic

  permit tcp any eq 1723 any

  permit gre any any

!

route-map LOCAL_POLICY 10

match ip address pptp-traffic

set interface WAN2

!

ip local policy route-map LOCAL_POLICY

!

ip route 0.0.0.0 0.0.0.0 WAN1