- Static IP routes can be added to a Site-Site IPSec-map to route other networks through an IPSEC tunnel.
- Static route to ipsec map can be configured before or after crypto map
- When a static route is added to ipsec-map, if tunnel is NOT up, no route will be installed in routing table
- If the tunnel is up, then the route pointing to gateway is added into the routing table
- Redundancy is provided for IP routes by assigning costs
Note: For VPN static route redundancy, "pre-connect enable" is mandatory in ipsec-map.
Environment : In a typical environment if we need to configure IPSec static route between MAS to controller or MAS-MAS to MAS to any other third party device.
Network Topology :
Configuration for S3500-J21-Stacking
crypto-local ipsec-map s2s-pki 1
version v2
peer-ip 42.1.1.1
peer-cert-dn "/CN=dot1xclientcert2048-1"
interface vlan 42
src-net 4.1.1.0 255.255.255.0
dst-net 2.1.1.0 255.255.255.0
set transform-set "default-transform"
set security-association lifetime seconds 3600
set pfs group2
pre-connect enable
force-natt disable
set ca-certificate RootCert
set server-certificate servercert-2048
!
Ip-profile
route 3.1.1.0 255.255.255.0 ipsec s2s-pki 1
route 3.1.1.0 255.255.255.0 ipsec tn-vpn 2
Configuration for AS 3500-j25 at the remote end
crypto-local ipsec-map s2s-pki 1
version v2
peer-ip 42.1.1.2
peer-cert-dn "/CN=dot1xservercert2048-1"
interface vlan 42
src-net 2.1.1.0 255.255.255.0
dst-net 4.1.1.0 255.255.255.0
set transform-set "default-transform"
set security-association lifetime seconds 3600
set pfs group2
pre-connect disable
force-natt disable
set ca-certificate rootCert-1
set server-certificate clientcert-2048
!
By doing above configuration IPSec Static route configuration is done on MAS.
Below are the commands to verify the same.
(AS3500-Stack-T7021-J21) #show ip-profile
(AS3500-Stack-T7021-J21) #show ip route
(AS3500-Stack-T7021-J21) #show data path route
(AS3500-Stack-T7021-J21) #show datapath route-cache
Below commands to help us to troubleshoot and verify the routes.
(AS3500-48T) # show ip-profile
ip-profile "default"
--------------------
Parameter Value
--------- -----
Default Gateway N/A
Import DHCP Gateway Disabled
controller-ip vlan4
route 2.1.1.0 255.255.255.0 42.1.1.1 0
route 3.1.1.0 255.255.255.0 ipsec s2s-pki 1
route 3.1.1.0 255.255.255.0 ipsec tn-vpn 2
(AS3500-48T) #show ip route
Codes: C - connected
O - OSPF, O(IA) - OSPF inter area
O(E1) - OSPF external type 1, O(E2) - OSPF external type 2
O(N1) - OSPF NSSA type 1, O(N2) - OSPF NSSA type 2
M - mgmt, S - static, * - candidate default
D - DHCP
C 2.1.1.0 /24 [1] is an ipsec map: _s2s-pki
S 3.1.1.0 /24 [1] is an ipsec map: _s2s-pki
(AS3500-48T) #show datapath route
Route Table Entries
-------------------
Flags: L - Local, P - Permanent, T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop
IP Mask Gateway Cost VLAN Flags
--------------- --------------- --------------- ---- ---- -----
2.1.1.0 255.255.255.0 2.1.1.1 0 1 TI
3.1.1.0 255.255.255.0 2.1.1.1 0 0
(AS3500-48T) # show datapath route-cache
Route Cache Entries
-------------------
Flags: L - local, P - Permanent, T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop
R - Routed across vlan
IP MAC VLAN Flags
--------------- ----------------- ----------- -----
2.1.1.1 00:00:00:00:00:00 tunnel 5608 PT
Notes:
Static IPSEC route has the same preference as other clear static routes.
For VPN static route redundancy, "pre-connect enable" is mandatory in ipsec-map.
1. Once the tunnel is down, and there is another Up route with the same dst, it will be removed from the routing table, WITHOUT pre-connect enabled, the traffic won't trigger the tunnel up. So it won’t be able to install back to routing table until the other same dst route are gone from the routing table.
2.For static routes, the one with the lower metric will be installed, no matter it is clear route or ipsec route.