cisco routing between IPSec tunnel and Internet Access

Hi there,

I have a routing problem with a Cisco router that is attached two to ADSL Interfaces. One interface (VPN) has a fixed IP address and is used to establish IPSec tunnels to the router. The second interface (INTERNET)is used to access the internet with a dynamic IP address given by the ISP.

Using the cisco VPN client I connect to the VPN interface and surf the internet through the Internet interface.

The default route of the router goes to the Internet interface.

My problem is that this only works if I know the IP address of the VPN client such that I can set up a route that sends the trafic for the VPN client out the VPN interface.

How can I specify routing such that I could connect to the VPN interface from anywhere and still have the router use the VPN interface for VPN traffic the the VPN client and the other interface for all other traffic?

I have tried policy based routing, using route-maps but I can't get it to work.

Some info:

- I have the following interfaces: FastEthernet (which I don't actually need), ATM (for adsl), two ATM subinterfaces (one for each adsl line) and two Dialers.

I am not posting the config. I am interested in the concept, the correct way of achieving what I need.

 thanks in advance,

  Philippe


LVL 2
PhilippeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PhilippeAuthor Commented:
test
rsivanandanCommented:
Phillipe,

  First of all, wouldn't that be an unnecessary wastage of bandwidth at your router and also the speed at the client side ? Because the clients already connect to your router through internet, so usual practice is to use split-tunneling to have the internet go through their local isp than coming through the vpn tunnel. But it is your decision.

  As you said, you can do it when you know the ip address of the client, so when the vpn client connects are you not assigning them an ip address ? Using that you can route traffic.

  Without seeing the config, it is going to be difficult understand what is in place.

Cheers,
Rajesh
PhilippeAuthor Commented:
Hello Rajesh,

I can not change the design of the system. I must have separate connections for VPN and INTERNET for administrative reasons.

I do assign addresses to VPN clients, but those are private adresses (10.x.y.z). Those are routed correctly. The adress I need to route is the public IP address of the client. The client should be able to connect from anywhere from the internet to my static VPN address. The router should route everything except the IP address of the client throught the INTERNET interface.

I have a standard configuration created with SDM. But it only works the intended way if I add a route to the public address of the potential clients.


 cheers,

   Philippe
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

mikebernhardtCommented:
With policy routing you should be able to specify that any traffic not sourced from the private addresses should exit on another interface. I don't see any other way to do it.

But I have to agree with rsivanandan... why the heck would you want someone who is already on the internet free and clear to connect to your router and then go back out? You can push out the "split tunnel" routes to the client so they don't have to do anything.
PhilippeAuthor Commented:
Hi there,

Thanks for the comments.

I've tried policy routing but didn't manage to get it to work. I might be doing something wrong. Can you please explain how you would set up policy routing. I understand that policy routing does not override the default route, so I must not have a default route and use a route map to route all traffic.

I can set up an ACL to match the traffic from the private IPs (say acl 120) and one to not match those IPs (say 130). Then I can create a route map and apply it to some interfaces. Could you give an example for that?

cheers,

  Philippe
mikebernhardtCommented:
What you want to do is let the private IPs route normally. So assuming they are 192.168.10.0/24,

access-list 10 deny 192.168.10.0 0.0.0.255
access-list 10 permit any

route-map policy-routing permit 10
 match ip 10
 set interface [the outbound adsl interface]
route-map policy-routing permit 20

interface [inbound adsl interface]
 ip policy route-map policy-routing

This should force all non-192.168 traffic out the outbound interface while letting all other traffic ( not 192.168) follow normal routing. You need the 2nd liine (permit 20) or the router will drop all traffic that doesn't match the permit 10.
PhilippeAuthor Commented:
Thanks mike,

This looks good. I'll try it tomorrow.

With this policy the private IPs go out the outbound interface.

I guess I still  need to set up a default route (ip route 0.0.0.0 ...) to the inbound interface for all the return traffic and the IPsec traffic (and the ssh traffic to the input interface too). Is that right?

Another quick detail: when I specifiy the adsl interface, is it better to specify the dialer or the ATM subinterface. Is there any difference?

 thanks much,
 
  Philippe



mikebernhardtCommented:
Well, the wierd thing is that it the internet traffic retains it's original source address, the return traffic isn't going to pass through your router- it's going to follow the normal internet routing back from the destination. So no, the default route needs to point to the outbound interface.
mikebernhardtCommented:
I don't know how you're configured, but whichever interface has the IP address is the one to point to.

I'm thinking now, if you have problems with the above you may need to set up another policy that sets the "inbound" interface as the outbound interface for all VPN traffic (traffic to/from the appropriate tcp/udp ports). It gets very messy when you do what you're trying to do.
PhilippeAuthor Commented:
I'm not sure I get this. I have the following traffic to route:

Private IP sources coming from the inbound interface through an IPSec tunnel. This needs to go out the outbound interface.

The return traffic of these will come back from the Internet and be nated to the private IPs and routed automatically to the IPSec tunnel.

IPSec traffic from my clients to the public address of my inboud interface. Replies to this traffic need to go out through the inbound interface

SSH traffic from myself to the public address of my inbound interface. Replies to this traffic need to go out throught the inbound interface too.


talk to you again tomorrow.

 Philippe
mikebernhardtCommented:
I'm not sure you'll get this to work well, the more I think about it. You haven't stated the reason for all of this other than "administrative reasons." But if you have 2 connections to the internet, and both could need to talk to any remote address, it gets very messy.

Are both circuits to the same ISP? What are your actual goals? Are you trying to isolate traffic to control bandwidth usage?

With the above policy, I *think* what would happen is all internet traffic, including return VPN traffic, would leave your outbound interface. As I said, you'd need a 2nd policy so that VPN traffic goes back out the interface it arrived on if that's what you need. This might work:

access-list 10 deny 192.168.10.0 0.0.0.255
access-list 10 permit any

access-list 100 permit udp any any eq 500
access-list 100 permit [whatever else you need for your VPN)

route-map policy-routing permit 10
 match ip address 10
 set interface [the outbound adsl interface]
route-map policy-routing permit 20
 match ip address 100
 set interface [inbound adsl interface]
route-map policy-routing permit 30

interface [inbound adsl interface]
 ip policy route-map policy-routing
mikebernhardtCommented:
I've corrected the order of the above, try this instead. You can make as many match-set statements as you need, as long as you're careful that you only have one possible match for each type of traffic. Therefore they all need to go before the line currently numbered 20.

access-list 10 deny 192.168.10.0 0.0.0.255
access-list 10 permit any

access-list 100 permit udp any any eq 500
access-list 100 permit [whatever else you need for your VPN)

route-map policy-routing permit 10
 match ip address 100
 set interface [the inbound adsl interface]
route-map policy-routing permit 20
 match ip address 10
 set interface [outbound adsl interface]
route-map policy-routing permit 30

interface [inbound adsl interface]
 ip policy route-map policy-routing

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rsivanandanCommented:
Good One Mike. This has to be the only way to try it.

But I just don't see the need for it.

Cheers,
Rajesh
FrabbleCommented:
I have another suggestion, if that's really the way it needs to be done, because I don't think policy routing will work.

You configure a tunnel interface, which is an internal virtual interface that terminates the VPN connections. The source address is configured to be the VPN interface/address. Both the interfaces have a crypto map to handle the dynamic mappings since the external clients will come in on the VPN interface and initially the return traffic out the Internet interface (with a source address of the VPN interface) because of the last resort route.

Once the SAs are set up though, the clients will still come in on the VPN interface and if you configure the dynamic map for reverse-route, dynamic entries for the VPN client addresses will be created pointing to the VPN interface, so the the return traffic will exit that as well.

That's the concept anyway. :)

PhilippeAuthor Commented:

I still can't make it work with policies. Somehow they are just ignored.

I remember having read that policy routing only works if there is no default route. Can anybody confirm?

Also, how about local policy. If I define a local policy defnining which packets must leave through which interface I can't connect to the router anymore. Any ideas?

 thanks for any help

 Philippe
PhilippeAuthor Commented:

Here is a code snippet:



! i want this traffic to go home through the VPN interface
access-list 150 permit ip host %static-ip-of-vpn-interface% any
access-list 150 permit ip any 10.10.10.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any

! this is the traffic that should go out the internet interface
access-list 160 permit ip 10.10.10.0 0.0.0.255 any

route-map mymap permit 10
 match ip address 150
 set interface Dialer%vpn%
!
route-map mymap permit 20
 match ip address 160
 set interface Dialer%internet%

I have applied the route map to Dialer%vpn% and even to its corresponding ATM interface.

I also have a default route towards the internet interface. But it doesn't work better if I disable it.

If I set a manual route to the VPN client then everything works fine....




mikebernhardtCommented:
Since you accepted my answer, did you get it working? I was out sick for a few days. Default route should have no impact on policy routing. It's what's used after everything else has been implemented.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.