[c-nsp] ip local policy route and tunnels

Joe Maimon jmaimon at ttec.com
Tue May 23 20:15:44 EDT 2006 

Anyone see any issues trying to run gre and or ipsec tunnels on a router 
through different interfaces by using local policy routing?

I can get the tunnels up and ipsec sa are established, but tunnel 
packets encapsulating payload traffic do not appear to be properly 
policy routed.

In the past I have worked around this, but it is starting to get annoying.

(yes I have a tac case open)

Here is an example

crypto keyring spokes
   pre-shared-key address 64.xx.xx.212 key <key>
!
crypto isakmp policy 1
  hash md5
  authentication pre-share
!
crypto isakmp policy 2
  encr 3des
  hash md5
  authentication pre-share
  group 2
!
crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2

!
crypto ipsec transform-set stdenc.set ah-md5-hmac esp-3des esp-md5-hmac
  mode transport
crypto ipsec transform-set stdenc.noah.set esp-3des esp-md5-hmac
  mode transport
!
crypto ipsec profile encrypted-inet-links
  set security-association lifetime seconds 120
  set transform-set stdenc.noah.set stdenc.set
  set pfs group2
!
!
interface Tunnel0
  ip address 10.10.36.2 255.255.255.252
  ip nat inside
  ip virtual-reassembly
  keepalive 10 3
  tunnel source Dialer1
  tunnel destination 64.xx.xx.212
!
interface Tunnel1
  ip address 10.10.37.1 255.255.255.0
  no ip redirects
  ip mtu 1400
  ip nat inside
  ip nhrp authentication ulthef
  ip nhrp map multicast dynamic
  ip nhrp map multicast 64.xx.xx.212
  ip nhrp map 10.10.37.2 64.xx.xx.212
  ip nhrp map multicast 67.yy.yy.198
  ip nhrp network-id 16770544
  ip nhrp nhs 10.10.37.2
  ip virtual-reassembly
  ip tcp adjust-mss 1360
  no ip split-horizon eigrp 4535
  delay 1000
  keepalive 10 3
  tunnel source Serial0/2/0
  tunnel mode gre multipoint
  tunnel key 16770544
  tunnel path-mtu-discovery
  tunnel protection ipsec profile encrypted-inet-links
!
interface Serial0/2/0
  ip address 67.yy.yy.198 255.255.255.252
  no ip redirects
  ip nat outside
  ip virtual-reassembly
  no ip mroute-cache
  service-module t1 timeslots 1-12
!
interface Dialer1
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer-group 1
  no cdp enable
  ppp authentication pap callin
  ppp chap hostname user at domain
  ppp chap password apassword
  ppp pap sent-username user at domain password apassword
!
ip local policy route-map local-policy-route
ip route 0.0.0.0 0.0.0.0 67.yy.yy.197
!
ip access-list extended pyyyy-exit
  permit ip host 67.yy.yy.198 host 64.xx.xx.212
!
ip access-list extended chl-exit
  !this is the static ip bound to the Dialer1 interface by the ISP
  permit ip host 64.xx.xx.44 any
!
route-map local-policy-route permit 20
  match ip address pyyyy-exit
  set interface Serial0/2/0
  set ip next-hop 67.yy.yy.197
!
route-map local-policy-route permit 30
  match ip address cxxxx-exit
  set interface Dialer1
  set ip next-hop 69.xx.xx.226
!
route-map local-policy-route permit 200

More information about the cisco-nsp mailing list