[c-nsp] VPN Tunnel and PBR
Ahmad Cheikh Moussa
acm at netuse.de
Thu Mar 29 09:03:14 EST 2007
Hi!
I have a problem with a ezvpn config.
I have a 876 router with some vlans.
The config should look like this:
LAN-D
Internet /
| VPN
| /
Router
|
/ | \
LAN-A LAN-B LAN-C
The router establish the tunnel via ezvpn remote
feature. I want that every traffic, which comes from
LAN-B and LAN-C directly to LAN-D. The rest directly
to the internet.
I've configured PBR and found out that this no work,
because my nex hop, is a IP address, which is not
in the routing table, but it is a IP which are reachable
through the tunnel. The tunnel use split-tunneling and
works without any problem, if I try to reach one of
a IP in LAN-D.
After a while I found out that there is a feature
virtuall-access for ezvpn. This feature generates routing
entries for every network, which is in the split-tunneling
list and so my PBR work. The other problem is now, that
evrything else doesn't work now. LAN-A can not go to
the internet and I can not reach LAN via the internet.
Here a cut of the ezvpn config;
crypto ipsec client ezvpn VPN_DHELLRT
connect auto
group DROPPOINT-GRP key *****
mode network-extension
peer 1.1.1.1
username droppoint01 password ******
xauth userid mode local
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
interface Vlan105
LAN B
ip policy route-map PBR-MAP
route-map PBR-MAP permit 10
match ip address PBR
set ip next-hop "LAN-D"
My question is, do I have forgot something to configure
for the virtual-access ?
Is there another way to solve this problem ?
Kind regards,
Ahmad
--
Ahmad Cheikh-Moussa
ISP-Technik
NetUSE AG
Dr.-Hell-Straße, 24107 Kiel, Germany
Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499
Service: Service at NetUSE.DE -- http://NetUSE.DE/
Vorstand: Andreas Seeger (Vorsitz), Dr. Roland Kaltefleiter, Dr. Jörg Posewang, Heinz Rohde
Aufsichtsrat: Detlev Hübner (Vorsitz)
Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942
Diese E-Mail enthält vertrauliche oder rechtlich geschützte Informationen.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.
The information contained in this message is confidential or protected by
law. Any unauthorised copying of this message or unauthorised distribution
of the information contained herein is prohibited.
More information about the cisco-nsp
mailing list