[c-nsp] VPN Tunnel and PBR

Rodney Dunn rodney at cisco.com
Mon Apr 2 09:29:29 EDT 2007


Sorry I didn't follow the thread.

What is the configuration you said didn't work?

With PBR you match and set the interface or next hop. PBR shold
always forward down that path. If the next hop results to be
over a GRE tunnel that is encrypted that traffic should be encrypted
and forwarded like any other traffic routed over the tunnel.

Rodney

 On Mon, Apr 02, 2007 at 02:32:00PM +0200, Ahmad Cheikh Moussa wrote:
> Hi!
> 
> Ahmad Cheikh Moussa wrote:
> > Hi!
> >>
> >> Mar 29 18:53:31.284 MEST: IP: s=10.1.15.66 (Vlan963), d=1.2.3.10, len 76, FIB policy match
> >> Mar 29 18:53:31.284 MEST: IP: s=10.1.15.66 (Vlan963), d=1.2.3.10, g=10.5.1.1, len 76, FIB policy routed
> >>
> >> Before the change I only got errors that the routing policy does not work.
> > 
> > The policy matchs now, but the packet are still sent outside the tunnel,
> > although the next-hop has to be reached via tunnel interface.
> > If I make an extended ping from the router to the next-hop, then I can
> > see the packet goes through the tunnel.
> > 
> 
> Now it works. I've changed the encryption domain (traffic which have to
> go through the ipsec tunnel) so that everything goes to the tunnel
> exempt one network and with that it works.
> But I'am still curios about the config with virtual-access interface.
> 
> Is there any cisco guy, who can sends an example config ?
> The problem I had was that when the tunnel is established the
> router is not reachable via the external IP. In this case the ip
> of dialer 1 (DSL dialin).
> 
> 
> Regards,
>  Ahmad
> 
> 
> 
> 
> 
> 
> 
> -- 
> Ahmad Cheikh-Moussa
> ISP-Technik
> 
> NetUSE AG
> Dr.-Hell-Stra?e, 24107 Kiel, Germany
> Telefon: +49 431 2390 400 --  Telefax: +49 431 2390 499
> Service: Service at NetUSE.DE --  http://NetUSE.DE/
> 
> 
> Vorstand: Andreas Seeger (Vorsitz), Dr. Roland Kaltefleiter, Dr. J?rg Posewang
> Aufsichtsrat: Detlev H?bner (Vorsitz)
> Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942
> 
> Diese E-Mail enth?lt vertrauliche oder rechtlich gesch?tzte Informationen.
> Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
> enthaltenen Informationen ist nicht gestattet.
> 
> The information contained in this message is confidential or protected by
> law. Any unauthorised copying of this message or unauthorised distribution
> of the information contained herein is prohibited.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list