[c-nsp] VPN Tunnel and PBR

Ahmad Cheikh Moussa acm at netuse.de
Thu Mar 29 09:03:14 EST 2007 

Hi!

I have a problem with a ezvpn config.
I have a 876 router with some vlans.

The config should look like this:

                 LAN-D
       Internet  /
         |      VPN
         |     /
        Router
         |
      /  |  \
 LAN-A  LAN-B LAN-C

The router establish the tunnel via ezvpn remote
feature. I want that every traffic, which comes from
LAN-B and LAN-C directly to LAN-D. The rest directly
to the internet.

I've configured PBR and found out that this no work,
because my nex hop, is a IP address, which is not
in the routing table, but it is a IP which are reachable
through the tunnel. The tunnel use split-tunneling and
works without any problem, if I try to reach one of
a IP in LAN-D.

After a while I found  out that there is a feature
virtuall-access for ezvpn. This feature generates routing
entries for every network, which is in the split-tunneling
list and so my PBR work. The other problem is now, that
evrything else doesn't work now. LAN-A can not go to
the internet and I can not reach LAN via the internet.

Here a cut of the ezvpn config;

crypto ipsec client ezvpn VPN_DHELLRT
 connect auto
 group DROPPOINT-GRP key *****
 mode network-extension
 peer 1.1.1.1
 username droppoint01 password ******
 xauth userid mode local


interface Virtual-Template1 type tunnel
 no ip address
 tunnel mode ipsec ipv4


interface Vlan105
 LAN B
 ip policy route-map PBR-MAP

route-map PBR-MAP permit 10
 match ip address PBR
 set ip next-hop "LAN-D"



My question is, do I have forgot something to configure
for the virtual-access ?

Is there another way to solve this problem ?

Kind regards,
 Ahmad




-- 
Ahmad Cheikh-Moussa
ISP-Technik

NetUSE AG
Dr.-Hell-Straße, 24107 Kiel, Germany
Telefon: +49 431 2390 400 --  Telefax: +49 431 2390 499
Service: Service at NetUSE.DE --  http://NetUSE.DE/


Vorstand: Andreas Seeger (Vorsitz), Dr. Roland Kaltefleiter, Dr. Jörg Posewang, Heinz Rohde
Aufsichtsrat: Detlev Hübner (Vorsitz)
Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942

Diese E-Mail enthält vertrauliche oder rechtlich geschützte Informationen.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.

The information contained in this message is confidential or protected by
law. Any unauthorised copying of this message or unauthorised distribution
of the information contained herein is prohibited.

More information about the cisco-nsp mailing list