Routing traffic over an IPsec tunnel using PBR

Traffic can be configured to route over an IPsec tunnel by using policy-based routing (PBR) .

Before configuring traffic to route over an IPsec tunnel, the virtual tunnel interface (VTI) must be configured. There is an example at the end of this task that shows the configuration steps in order.
To route traffic over an IPsec tunnel using PBR, complete the following task.
  1. From privileged EXEC mode, enter global configuration mode.
    
    device# configure terminal
    
  2. Define an access control list (ACL).
    
    device(config)# access-list 99 permit 10.157.23.0 0.0.0.255
    
  3. Create a route map to accept this traffic and enter route map configuration mode.
    
    device(config)# route-map crypto-route permit 99
    
    This example creates a route map called "crypto-route".
  4. Specify the values to match for the route map.
    
    device(config-routemap crypto-route)# match ip address 99
    
    This example specifies matching based on the IP address in ACL 99.
  5. Configure matching packets to route over the IPsec tunnel.
    
    device(config-routemap crypto-route)# set ip next-hop 10.4.4.4 
    
    This example configures IPsec VTI 10.4.4.4 as the next-hop address for matching packets.
    Alternatively, you can configure the tunnel itself as the next-hop address for matching packets.
    
    device(config-routemap crypto-route)# set next-hop-ip-tunnel 2 
    
    This example configures tunnel 2 as the next-hop address for matching packets.
  6. Enter configuration mode on the interface where you want to apply the route map.
    
    device(config-routemap crypto-route)# interface ethernet 1/1/3 
    
    This example enters configuration mode on Ethernet interface 1/1/3.
  7. Enable policy-based routing on the interface and specify the route map to be used.
    
    device(config-if-e1000-1/1/3)# ip policy route-map crypto-route 
    
    This example specifies using the "crypto-route" route map for PBR on Ethernet interface 1/1/3.
  8. Return to global configuration mode.
    
    device(config-if-e1000-1/1/3)# end
    

The following example shows how to configure an IPsec VTI and how to steer traffic over the tunnel by using PBR.


device# interface tunnel 1
device(config-tnif-1)# vrf forwarding blue
device(config-tnif-1)# tunnel source ethernet 1/1/1
device(config-tnif-1)# tunnel destination 10.2.2.1
device(config-tnif-1)# tunnel mode ipsec ipv4
device(config-tnif-1)# tunnel protection ipsec profile prof-blue
device(config-tnif-1)# ip address 10.4.4.4/24
device(config-tnif-1)# exit

device(config)# access-list 99 permit 10.157.23.0 0.0.0.255
device(config)# route-map crypto-route permit 99
device(config-routemap crypto-route)# match ip address 99
device(config-routemap crypto-route)# set ip next-hop 10.4.4.1 vrf blue
device(config-routemap crypto-route)# end
device(config)# interface ethernet 1/1/3
device(config-if-e1000-1/1/3)# vrf forwarding blue
device(config-if-e1000-1/1/3)# ip policy route-map crypto-route
device(config-if-e1000-1/1/3)# end