[c-nsp] VPN Tunnel and PBR

Ahmad Cheikh Moussa acm at netuse.de
Fri Mar 30 02:37:55 EST 2007


Hi!

Ahmad Cheikh-Moussa wrote:
> Hi Gianluca,
> 
> On Mar 29, 07, hjan wrote:
>> Hi Ahmad,
>> did you try the recursive next-hop under pbr?
>> From cisco:*The recursive next-hop IP address is installed in the
>> routing table and can be a subnet that is not directly connected.* [1]
> It looks good. In the debug ouput I could see the routing wokrs.
> 
> Mar 29 18:53:31.284 MEST: IP: s=10.1.15.66 (Vlan963), d=1.2.3.10, len 76, FIB policy match
> Mar 29 18:53:31.284 MEST: IP: s=10.1.15.66 (Vlan963), d=1.2.3.10, g=10.5.1.1, len 76, FIB policy routed
> 
> Before the change I only got errors that the routing policy does not work.

The policy matchs now, but the packet are still sent outside the tunnel,
although the next-hop has to be reached via tunnel interface.
If I make an extended ping from the router to the next-hop, then I can
see the packet goes through the tunnel.

Could it be that the routing information comes before the ipsec
tunnel information and if the next hop is Dialer1, then the decison
to look into the ipsec tunnel information is overwritten ?

Dialer 1 is my outside interface and the tunnel ends on this
interface.

Regards,
 Ahmad




-- 
Ahmad Cheikh-Moussa
ISP-Technik

NetUSE AG
Dr.-Hell-Straße, 24107 Kiel, Germany
Telefon: +49 431 2390 400 --  Telefax: +49 431 2390 499
Service: Service at NetUSE.DE --  http://NetUSE.DE/


Vorstand: Andreas Seeger (Vorsitz), Dr. Roland Kaltefleiter, Dr. Jörg Posewang, Heinz Rohde
Aufsichtsrat: Detlev Hübner (Vorsitz)
Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942

Diese E-Mail enthält vertrauliche oder rechtlich geschützte Informationen.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.

The information contained in this message is confidential or protected by
law. Any unauthorised copying of this message or unauthorised distribution
of the information contained herein is prohibited.




More information about the cisco-nsp mailing list