I have a customer with three locations, they have 6 Routers, two at each site.
We have a Metro-E deployed between the sites for site to site without a vpn. We also have a separate Internet connection at each site. The reason they have two routers at each site is because they didn’t want an outage if one of the routers quit working.
Cisco Umbrella IPS uses an ipsec tunnel. They want you to direct all Internet traffic through the ipsec tunnel.
I could do this by making the destination address on the ipsec policy 0.0.0.0/0
however this kills everything. None of my internal routes work.
Any ideas on how to make the traffic go out the IPSEC but not kill all of the internal traffic?
@astuke, please provide some more detailed info regarding the network topology preferably using a network diagram as well as what kind of equipment is in use, the L2/L3 config, tunnels etc. Also, you need to be more specific regarding what you mean by “how to make the traffic go out the IPSEC but not kill all of the internal traffic” but maybe Sob got you the correct answer.
Sorry, I was working on finding that diagram and got side tracked.
Each site has it’s own Internet it needs all Internet traffic to go to the tunnel for Umbrella, and then to the Internet, each site would have an Umbrella tunnel.
Hi again @astuke, instead of answering one question at a time I think you will get better help if you firstly give an overall picture with essential information about for example the network topology and secondly try to be more precise regarding the specific issue you want to solve.
Also btw, the subject line is somewhat misleading as this doesn’t appear to be related to Cisco at all.
Cisco Umbrella is the product I’m dealing with, it’s using a cloud based IPS policy to watch all of the IP’s on the network as they try to access the Internet.
Cisco Umbrella is the product, I’m not sure how this is misleading, I apologize I just assumed we knew I mean Mikrotiks since I was in the Mikrotik forum, I can be more specific next time.. They need an IPSEC tunnel to them in order for them to make their IPS product work. All Internet traffic from the LAN needs to go out the corresponding IPsec tunnel to cisco Umbrella. If I try to do this on the IPsec tunnel by making the destination 0.0.0.0/0, it tries to send everything across the tunnel so my internal routes no longer work.
It works great until you need to access another local subnet 10.0.2.0/24. You’ll find out that traffic doesn’t go there, because IPSec takes it. But you can add another policy before that one:
