[c-nsp] VPN Routing vs Static Routing

[Higham, Josh]

Traffic is encrypted for a VPN based on the output interface; the VPN
policy is applied to the interface the traffic goes out (often the
public interface).  Static routes apply to inbound traffic to determine
the outbound interface.  If the static route (default route or more
specific) doesn't point the traffic out the interface with the VPN
policy, the VPN won't come into play.

You may be able to test this outside the lab by utilizing an unused
interface, or at least an interface without a VPN.  Create a VPN there
for some generic network (some random website) not routed through that
interface, then check that traffic continues to flow normally.  Add a
static route for the network and verify that it does hit the VPN tunnel
(you won't see the tunnel come up, but you can watch debugs to see when
the Pix tries to establish it).

Thanks,
Josh

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nimal 
> David Sirimanne
> Sent: Tuesday, October 07, 2008 1:38 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VPN Routing vs Static Routing
> 
> Hi guys,
> 
> Assume that i have a VPN link from Cisco Pix to remote network 
> 10.10.10.0/24.
> 
> What would happen if i set another static route on the Cisco 
> PIX to this 
> same network 10.10.10.0/24. What would happen? Would the 
> static routing
> take precedent? Will the VPN link break? Will the PIX IOS detect the 
> conflict?
> 
> Ideally, i'd love to test this out on a test network, but i can't, so 
> perhaps if anyone has any experience with this, can you enlighten me? 
> Thanks!
> 
> Nimal
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>