Philippe
asked on
cisco routing between IPSec tunnel and Internet Access
Hi there,
I have a routing problem with a Cisco router that is attached two to ADSL Interfaces. One interface (VPN) has a fixed IP address and is used to establish IPSec tunnels to the router. The second interface (INTERNET)is used to access the internet with a dynamic IP address given by the ISP.
Using the cisco VPN client I connect to the VPN interface and surf the internet through the Internet interface.
The default route of the router goes to the Internet interface.
My problem is that this only works if I know the IP address of the VPN client such that I can set up a route that sends the trafic for the VPN client out the VPN interface.
How can I specify routing such that I could connect to the VPN interface from anywhere and still have the router use the VPN interface for VPN traffic the the VPN client and the other interface for all other traffic?
I have tried policy based routing, using route-maps but I can't get it to work.
Some info:
- I have the following interfaces: FastEthernet (which I don't actually need), ATM (for adsl), two ATM subinterfaces (one for each adsl line) and two Dialers.
I am not posting the config. I am interested in the concept, the correct way of achieving what I need.
thanks in advance,
Philippe
I have a routing problem with a Cisco router that is attached two to ADSL Interfaces. One interface (VPN) has a fixed IP address and is used to establish IPSec tunnels to the router. The second interface (INTERNET)is used to access the internet with a dynamic IP address given by the ISP.
Using the cisco VPN client I connect to the VPN interface and surf the internet through the Internet interface.
The default route of the router goes to the Internet interface.
My problem is that this only works if I know the IP address of the VPN client such that I can set up a route that sends the trafic for the VPN client out the VPN interface.
How can I specify routing such that I could connect to the VPN interface from anywhere and still have the router use the VPN interface for VPN traffic the the VPN client and the other interface for all other traffic?
I have tried policy based routing, using route-maps but I can't get it to work.
Some info:
- I have the following interfaces: FastEthernet (which I don't actually need), ATM (for adsl), two ATM subinterfaces (one for each adsl line) and two Dialers.
I am not posting the config. I am interested in the concept, the correct way of achieving what I need.
thanks in advance,
Philippe
Phillipe,
First of all, wouldn't that be an unnecessary wastage of bandwidth at your router and also the speed at the client side ? Because the clients already connect to your router through internet, so usual practice is to use split-tunneling to have the internet go through their local isp than coming through the vpn tunnel. But it is your decision.
As you said, you can do it when you know the ip address of the client, so when the vpn client connects are you not assigning them an ip address ? Using that you can route traffic.
Without seeing the config, it is going to be difficult understand what is in place.
Cheers,
Rajesh
First of all, wouldn't that be an unnecessary wastage of bandwidth at your router and also the speed at the client side ? Because the clients already connect to your router through internet, so usual practice is to use split-tunneling to have the internet go through their local isp than coming through the vpn tunnel. But it is your decision.
As you said, you can do it when you know the ip address of the client, so when the vpn client connects are you not assigning them an ip address ? Using that you can route traffic.
Without seeing the config, it is going to be difficult understand what is in place.
Cheers,
Rajesh
ASKER
Hello Rajesh,
I can not change the design of the system. I must have separate connections for VPN and INTERNET for administrative reasons.
I do assign addresses to VPN clients, but those are private adresses (10.x.y.z). Those are routed correctly. The adress I need to route is the public IP address of the client. The client should be able to connect from anywhere from the internet to my static VPN address. The router should route everything except the IP address of the client throught the INTERNET interface.
I have a standard configuration created with SDM. But it only works the intended way if I add a route to the public address of the potential clients.
cheers,
Philippe
I can not change the design of the system. I must have separate connections for VPN and INTERNET for administrative reasons.
I do assign addresses to VPN clients, but those are private adresses (10.x.y.z). Those are routed correctly. The adress I need to route is the public IP address of the client. The client should be able to connect from anywhere from the internet to my static VPN address. The router should route everything except the IP address of the client throught the INTERNET interface.
I have a standard configuration created with SDM. But it only works the intended way if I add a route to the public address of the potential clients.
cheers,
Philippe
With policy routing you should be able to specify that any traffic not sourced from the private addresses should exit on another interface. I don't see any other way to do it.
But I have to agree with rsivanandan... why the heck would you want someone who is already on the internet free and clear to connect to your router and then go back out? You can push out the "split tunnel" routes to the client so they don't have to do anything.
But I have to agree with rsivanandan... why the heck would you want someone who is already on the internet free and clear to connect to your router and then go back out? You can push out the "split tunnel" routes to the client so they don't have to do anything.
ASKER
Hi there,
Thanks for the comments.
I've tried policy routing but didn't manage to get it to work. I might be doing something wrong. Can you please explain how you would set up policy routing. I understand that policy routing does not override the default route, so I must not have a default route and use a route map to route all traffic.
I can set up an ACL to match the traffic from the private IPs (say acl 120) and one to not match those IPs (say 130). Then I can create a route map and apply it to some interfaces. Could you give an example for that?
cheers,
Philippe
Thanks for the comments.
I've tried policy routing but didn't manage to get it to work. I might be doing something wrong. Can you please explain how you would set up policy routing. I understand that policy routing does not override the default route, so I must not have a default route and use a route map to route all traffic.
I can set up an ACL to match the traffic from the private IPs (say acl 120) and one to not match those IPs (say 130). Then I can create a route map and apply it to some interfaces. Could you give an example for that?
cheers,
Philippe
What you want to do is let the private IPs route normally. So assuming they are 192.168.10.0/24,
access-list 10 deny 192.168.10.0 0.0.0.255
access-list 10 permit any
route-map policy-routing permit 10
match ip 10
set interface [the outbound adsl interface]
route-map policy-routing permit 20
interface [inbound adsl interface]
ip policy route-map policy-routing
This should force all non-192.168 traffic out the outbound interface while letting all other traffic ( not 192.168) follow normal routing. You need the 2nd liine (permit 20) or the router will drop all traffic that doesn't match the permit 10.
access-list 10 deny 192.168.10.0 0.0.0.255
access-list 10 permit any
route-map policy-routing permit 10
match ip 10
set interface [the outbound adsl interface]
route-map policy-routing permit 20
interface [inbound adsl interface]
ip policy route-map policy-routing
This should force all non-192.168 traffic out the outbound interface while letting all other traffic ( not 192.168) follow normal routing. You need the 2nd liine (permit 20) or the router will drop all traffic that doesn't match the permit 10.
ASKER
Thanks mike,
This looks good. I'll try it tomorrow.
With this policy the private IPs go out the outbound interface.
I guess I still need to set up a default route (ip route 0.0.0.0 ...) to the inbound interface for all the return traffic and the IPsec traffic (and the ssh traffic to the input interface too). Is that right?
Another quick detail: when I specifiy the adsl interface, is it better to specify the dialer or the ATM subinterface. Is there any difference?
thanks much,
Philippe
This looks good. I'll try it tomorrow.
With this policy the private IPs go out the outbound interface.
I guess I still need to set up a default route (ip route 0.0.0.0 ...) to the inbound interface for all the return traffic and the IPsec traffic (and the ssh traffic to the input interface too). Is that right?
Another quick detail: when I specifiy the adsl interface, is it better to specify the dialer or the ATM subinterface. Is there any difference?
thanks much,
Philippe
Well, the wierd thing is that it the internet traffic retains it's original source address, the return traffic isn't going to pass through your router- it's going to follow the normal internet routing back from the destination. So no, the default route needs to point to the outbound interface.
I don't know how you're configured, but whichever interface has the IP address is the one to point to.
I'm thinking now, if you have problems with the above you may need to set up another policy that sets the "inbound" interface as the outbound interface for all VPN traffic (traffic to/from the appropriate tcp/udp ports). It gets very messy when you do what you're trying to do.
I'm thinking now, if you have problems with the above you may need to set up another policy that sets the "inbound" interface as the outbound interface for all VPN traffic (traffic to/from the appropriate tcp/udp ports). It gets very messy when you do what you're trying to do.
ASKER
I'm not sure I get this. I have the following traffic to route:
Private IP sources coming from the inbound interface through an IPSec tunnel. This needs to go out the outbound interface.
The return traffic of these will come back from the Internet and be nated to the private IPs and routed automatically to the IPSec tunnel.
IPSec traffic from my clients to the public address of my inboud interface. Replies to this traffic need to go out through the inbound interface
SSH traffic from myself to the public address of my inbound interface. Replies to this traffic need to go out throught the inbound interface too.
talk to you again tomorrow.
Philippe
Private IP sources coming from the inbound interface through an IPSec tunnel. This needs to go out the outbound interface.
The return traffic of these will come back from the Internet and be nated to the private IPs and routed automatically to the IPSec tunnel.
IPSec traffic from my clients to the public address of my inboud interface. Replies to this traffic need to go out through the inbound interface
SSH traffic from myself to the public address of my inbound interface. Replies to this traffic need to go out throught the inbound interface too.
talk to you again tomorrow.
Philippe
I'm not sure you'll get this to work well, the more I think about it. You haven't stated the reason for all of this other than "administrative reasons." But if you have 2 connections to the internet, and both could need to talk to any remote address, it gets very messy.
Are both circuits to the same ISP? What are your actual goals? Are you trying to isolate traffic to control bandwidth usage?
With the above policy, I *think* what would happen is all internet traffic, including return VPN traffic, would leave your outbound interface. As I said, you'd need a 2nd policy so that VPN traffic goes back out the interface it arrived on if that's what you need. This might work:
access-list 10 deny 192.168.10.0 0.0.0.255
access-list 10 permit any
access-list 100 permit udp any any eq 500
access-list 100 permit [whatever else you need for your VPN)
route-map policy-routing permit 10
match ip address 10
set interface [the outbound adsl interface]
route-map policy-routing permit 20
match ip address 100
set interface [inbound adsl interface]
route-map policy-routing permit 30
interface [inbound adsl interface]
ip policy route-map policy-routing
Are both circuits to the same ISP? What are your actual goals? Are you trying to isolate traffic to control bandwidth usage?
With the above policy, I *think* what would happen is all internet traffic, including return VPN traffic, would leave your outbound interface. As I said, you'd need a 2nd policy so that VPN traffic goes back out the interface it arrived on if that's what you need. This might work:
access-list 10 deny 192.168.10.0 0.0.0.255
access-list 10 permit any
access-list 100 permit udp any any eq 500
access-list 100 permit [whatever else you need for your VPN)
route-map policy-routing permit 10
match ip address 10
set interface [the outbound adsl interface]
route-map policy-routing permit 20
match ip address 100
set interface [inbound adsl interface]
route-map policy-routing permit 30
interface [inbound adsl interface]
ip policy route-map policy-routing
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good One Mike. This has to be the only way to try it.
But I just don't see the need for it.
Cheers,
Rajesh
But I just don't see the need for it.
Cheers,
Rajesh
I have another suggestion, if that's really the way it needs to be done, because I don't think policy routing will work.
You configure a tunnel interface, which is an internal virtual interface that terminates the VPN connections. The source address is configured to be the VPN interface/address. Both the interfaces have a crypto map to handle the dynamic mappings since the external clients will come in on the VPN interface and initially the return traffic out the Internet interface (with a source address of the VPN interface) because of the last resort route.
Once the SAs are set up though, the clients will still come in on the VPN interface and if you configure the dynamic map for reverse-route, dynamic entries for the VPN client addresses will be created pointing to the VPN interface, so the the return traffic will exit that as well.
That's the concept anyway. :)
You configure a tunnel interface, which is an internal virtual interface that terminates the VPN connections. The source address is configured to be the VPN interface/address. Both the interfaces have a crypto map to handle the dynamic mappings since the external clients will come in on the VPN interface and initially the return traffic out the Internet interface (with a source address of the VPN interface) because of the last resort route.
Once the SAs are set up though, the clients will still come in on the VPN interface and if you configure the dynamic map for reverse-route, dynamic entries for the VPN client addresses will be created pointing to the VPN interface, so the the return traffic will exit that as well.
That's the concept anyway. :)
ASKER
I still can't make it work with policies. Somehow they are just ignored.
I remember having read that policy routing only works if there is no default route. Can anybody confirm?
Also, how about local policy. If I define a local policy defnining which packets must leave through which interface I can't connect to the router anymore. Any ideas?
thanks for any help
Philippe
ASKER
Here is a code snippet:
! i want this traffic to go home through the VPN interface
access-list 150 permit ip host %static-ip-of-vpn-interfac
access-list 150 permit ip any 10.10.10.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
! this is the traffic that should go out the internet interface
access-list 160 permit ip 10.10.10.0 0.0.0.255 any
route-map mymap permit 10
match ip address 150
set interface Dialer%vpn%
!
route-map mymap permit 20
match ip address 160
set interface Dialer%internet%
I have applied the route map to Dialer%vpn% and even to its corresponding ATM interface.
I also have a default route towards the internet interface. But it doesn't work better if I disable it.
If I set a manual route to the VPN client then everything works fine....
Since you accepted my answer, did you get it working? I was out sick for a few days. Default route should have no impact on policy routing. It's what's used after everything else has been implemented.
ASKER