We have a client that require to make a IPSec tunnel for some of our employees have to connect to their servers. The tunnel has established without problem, but I think the information gathered to me is insufficient to make routes work.
The data supplied by the client: (it’s been modified for security reasons):
They have no supplied any gateways or anything else except the information about the creation of IPSec tunnel (encryp. algorithm, Pre-shared-key, etc) that was established without problems.
Is it possible to make static routes only with this information? Knowing that we have our LAN in 172.17.0.0/24 subnet. And connect to Internet (obviously) through our WAN IP 2.2.2.2.
Perhaps is too newbie question, but I feel lost actually.
But my doubt is this route include the 0.0.0.0/0 destination address associated to IPSec Tunnel, Would affect all the lan side (172.17.0.0/24) to redirect through the IPSec tunnel instead of WAN interface?
I meant that, for example, you have 172.17.0.0/24 LAN with router’s IP 172.17.0.1 on 1st side and 172.17.1.0/24 LAN with router’s IP 172.17.1.1. So you have to add static routes beween these two subnets like:
ip route
add dst-address=172.17.1.0/24 gateway=192.168.250.2 distance=1
add dst-address=172.17.0.0/24 gateway=192.168.250.1 distance=1
where 192.168.250.0/30 is GRE interface point to point subnet.
Use EoIP over IPsec with per shared key for L2VPN and GRE over IPsec for L3VPN.
To exclude default route from your direct to ISP traffic, add a static route to IPsec peer to your ISP IP and then add default route to 192.168.250.2 to route traffic via IPsec tunnel. More specific route will win less specific and your tunnel interface won’t fall.