VPN Server on multiple interfaces
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2013 07:07 AM
Hi all,
I have c3725 router that have two WAN interfaces, both of which I want to serve VPN clients. However, I have only one default route, say for WAN1, so how can I accept client requests on WAN2.
ps: I use vpdn and pptp, and I'm a newbie to Cisco router and IOS.
Thanks.
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2013 02:22 PM
Any VPN issues are secondary to the first issue of routing. Unless and until you know how to route in and out of the WAN2 interface, you won't be able to attach any VPN policies to it.
You'll need some kind of routing process (static, policy-based, dynamic routing protocol, etc.) to get the router to select that interface for traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2013 07:30 PM
Thanks for your reply,
Back to this very issue, I think the ideal situation is that the outgoing VPN data (or other data generaly) go back to the interface where they come from. I don't know which feature or functionality Cisco IOS provide can be used, or it is just impossible because the outgoing data are actually generated by router itself.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2013 07:43 PM
What's your ISP setup? Separate providers with separate address spaces SWIP'd to you? If that's the case, you'd have to know where your clients come from and manipulate your routing so that traffic to and from them always goes via WAN2.
The ideal setup for this sort of situation is have have your own provider-independent address space (e.g. a /24 or larger) and your VPN headend sits in that behind whatever router(s) move traffic from your PI space into and out of the Internet.
If you don't have that and your router is also your VPN device, you don't have many good options for doing what your original post requests. What's behind your requirement for VPN on one interface and default route out another?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2013 08:00 PM
Hi Marvin,
Unfortunately for some reason the two upstream links are from the same ISP with different bandwidth.
But never mind, I totally understand what you said, adding another specific VPN device make things simple, and the above
scenario is not that real, I just want to know how far I can go. Thanks!
One more question, what if I want all the data go to first WAN interface except the VPN data? Assume pptp with VPDN here, I tried local policy routing, but failed:
ip access-list extended pptp-traffic
permit tcp any eq 1723 any
permit gre any any
!
route-map LOCAL_POLICY 10
match ip address pptp-traffic
set interface WAN2
!
ip local policy route-map LOCAL_POLICY
!
ip route 0.0.0.0 0.0.0.0 WAN1
