We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the employees. The other is our backup link. It has higher upload speed – 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasons we can not use the fast wan connection as our primary connection and it is used only as a failover in case the primary link fails.
The fast wan also has a static IP address and we use this static IP for the VPN Client configuration.
Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from thefast wan interface, but exits from the slow wan interface. And because the slow wan has only 1mbps upload the vpn connection is slow.
Is there any way for us to redirect the vpn traffic to always use the fast wan interface and to take advantage of the 11mbps upload speed of that connection?
Bellow is a sanitized config of our router
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group dc
key ***
dns 192.168.5.7
domain corp.local
pool SDM_POOL_1
acl 101
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group dc
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0
description *WAN*
no ip address
ip mtu 1396
duplex auto
speed auto
!
interface FastEthernet0/0.3
description FAST-WAN-11D-11U
encapsulation dot1Q 3
ip address 88.XX.XX.75 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0.4
description SLOW-WAN-10D-1U
encapsulation dot1Q 4
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1
description *LOCAL*
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
no cdp enable
!
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
!
!!! NOTE: This route map is used to PBR the http traffic for our server
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template3
no ip address
!
interface Virtual-Template4
no ip address
!
!
ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
ip forward-protocol nd
!
!
!
!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
!
!!! FAST-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
!
!
!
ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
!
!
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
!
ip access-list extended FAST-WAN-NAT
permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit icmp 10.10.0.0 0.0.0.255 any
ip access-list extended REDIRECT-VIA-FAST-WAN
deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
ip access-list extended SLOW-WAN-NAT
permit ip 192.168.5.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
!
!
route-map FAST-WAN-NAT-RMAP permit 10
match ip address FAST-WAN-NAT
match interface FastEthernet0/0.3
!
route-map REDIRECT-VIA-FAST-WAN permit 10
match ip address REDIRECT-VIA-FAST-WAN
set ip next-hop 88.XX.XX.73
!
route-map SLOW-WAN-NAT-RMAP permit 10
match ip address SLOW-WAN-NAT
match interface FastEthernet0/0.4
!
!
P.S. Also feel free to suggest a better name (more descriptive name) for this post
UPDATE: 20.12.2013
I did as John Kennedy suggested. However the traffic was still routed OUT the slow-wan interface.
I created a separate route-map for the other lan interface. This is the config and the show output:
At the time of executing this commands I am actually SSHed from the VPN. I also tried to disconnect and reconnect again just in case.
You may notice bellow that when I execute a show access-list command that there are no matched packets for the ESP or AHP protocols.
Also for the newly created route map REDIRECT-VIA-FAST-WAN2 there are no matched packets yet my vpn assigned IP address is into the 192.168.5.0 subnet.
Router# sh run inter fa0/1.10
!
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
ip policy route-map REDIRECT-VIA-FAST-WAN2
no cdp enable
end
Router#
Router#sh run inter fa0/1.20
Building configuration...
Current configuration : 251 bytes
!
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
end
Router#
Router#sh route-map
route-map REDIRECT-VIA-FAST-WAN2, permit, sequence 10
Match clauses:
ip address (access-lists): REDIRECT-VIA-FAST-WAN2
Set clauses:
ip next-hop 88.XX.XX.73
Policy routing matches: 0 packets, 0 bytes
!
route-map REDIRECT-VIA-FAST-WAN, permit, sequence 10
Match clauses:
ip address (access-lists): REDIRECT-VIA-FAST-WAN
Set clauses:
ip next-hop 88.XX.XX.73
Policy routing matches: 1948323 packets, 2212263065 bytes
!
Router#
Router#sh access-lists REDIRECT-VIA-FAST-WAN
Extended IP access list REDIRECT-VIA-FAST-WAN
10 deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255 (2068620 matches)
20 permit tcp host 10.10.0.43 eq 443 9675 any (1948603 matches)
30 permit esp any any
40 permit ahp any any
!
!!! NOTE: FIRST I TRIED WITHOUT THESE. THEY WERE ADDED AFTERWARDS JUST IN CASE.
!!! ALSO THE ROUTER ITSELF CORRECTED THE PORT NUMBERS INTO THE CORRESPONDING PROTOCOLS
50 permit udp any any eq isakmp
60 permit udp any any eq 10000
!
!!! I MAY ASSUME THAT THE CORRECTED ENTRY non500-isakmp ACTUALY MEANS "THIS WILL NOT BE USED FOR ISAKMP
70 permit udp any any eq non500-isakmp
80 permit tcp any any eq 4500
Router#sh access-lists REDIRECT-VIA-FAST-WAN2
Extended IP access list REDIRECT-VIA-FAST-WAN2
10 permit ahp any any
20 permit esp any any
30 permit udp any any eq isakmp
40 permit udp any any eq 10000
50 permit udp any any eq non500-isakmp
60 permit tcp any any eq 4500
Router#
Best Answer
You can simply append the ACL "REDIRECT-VIA-FAST-WAN" to route IPSEC traffic out your "fast wan" interface.
Or if your router does not have the "ahp" and "esp" options for an extended ACL, you can simply add in the specific ports that the ipsec client tunnels over, namely UDP ports 500, 10000, and 4500, and also TCP 4500 for good measure.
You may also have to append your "PERMIT-MNG" ACL to allow outbound IPSEC traffic (depending on what that ACL is configured to do) but you stripped it out of the running config so I can not fully comment on that.