RE: Forcing return IP route

From: Schwimer, Greg (CAP, ITS, US) (Greg.Schwimer@xxxxxxxxxxxxx)
Date: Mon Dec 27 1999 - 19:21:11 GMT-3

• Next message: Patrick McKinnis: "RE: What's the difference between Queuing and Traffic Shaping?"
• Previous message: Patrick McKinnis: "RE: DECNET split-horizon"
• Maybe in reply to: Schwimer, Greg (CAP, ITS, US): "Forcing return IP route"
• Next in thread: Derek A. Buelna: "RE: Forcing return IP route"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
You hit the nail on the head. I did get it to work, sort of... I used the
following config on R2, where 172.16.25.2 is the remote (r1) end of the
tunnel:

route-map MAP1 permit 10
  match interface tun0
  set ip next-hop 172.16.25.2

int e0/0 (this is the internal network)
  ip policy route-map MAP1

The problem is that with this config, ALL traffic goes down the tunnel
interface.

The trick to this is that you cannot configure any policies based upon the
source address of the packet, as that will always be an unknown when dealing
with clients dialing-in to the internet.

-----Original Message-----
From: Derek A. Buelna [mailto:dameon@aracnet.com]
Sent: Monday, December 27, 1999 2:24 PM
To: 'Schwimer, Greg (CAP, ITS, US)'
Subject: RE: Forcing return IP route

Hi,

Let me see if I understand this correctly:

1. R1 and R2 are each connected to the Internet.
2. There is an IP tunnel between the two sites that is encrypted/using
IPSec.
3. Traffic on R1 that is destined for any of the networks at the R2 site
gets routed through the tunnel to R2 and vice versa.
4. The network has been configured to allow IPSec clients to connect to R1,
which works fine for accessing any network at the R1 site but when trying
to access a network at the R2 site, the replies are not sent through the
tunnel back to R1 (thus using IPSec) but are sent unencrypted directly to
the IP address of the IPSec client somewhere on the Internet which, of
course, doesn't work.

Let me know if I understand - I'm pondering this one - I have time to
research and this one is kind of interesting.

-Derek

-----Original Message-----
From: Schwimer, Greg (CAP, ITS, US) [SMTP:Greg.Schwimer@gecits.ge.com]
Sent: Monday, December 27, 1999 8:31 AM
To: CCIE Lab group (E-mail)
Cc: Mitchell, Tim (CAP, ITS, US); Vohs, Todd M (CAP, ITS, US)
Subject: Forcing return IP route

Does anyone know of a way to force a router to route IP reply packets (as
in
a ping, for example) through the same interface the request came in on?
Static routes are not an option. Here is the scenario:

                IPSec Client
                        !
                        !

• Next message: Patrick McKinnis: "RE: What's the difference between Queuing and Traffic Shaping?"
• Previous message: Patrick McKinnis: "RE: DECNET split-horizon"
• Maybe in reply to: Schwimer, Greg (CAP, ITS, US): "Forcing return IP route"
• Next in thread: Derek A. Buelna: "RE: Forcing return IP route"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:22:00 GMT-3