Select Page

IPsec VPN With DVTI-SVTI Routing

by | 8-May-2021 | Cisco, Security, VPN

Applied version

  • IOS-S10 (EzVPN Server)
    • Cisco IOS version 15.2(4)S7
  • PC-C1 (EzVPN Client)
    • Cisco VPN Client version 5.0.07.0410
  • IOS-C11 (EzVPN Remote)
    • Cisco IOS version 15.5(2)T

[Connectivity]

[PC-C1] to [R3], 172.16.20.104 to 10.3.3.3

ping ICMP-echo-request [OK]

 

[R3] to [PC-C1], 10.3.3.3 to 172.16.20.104

ping ICMP-echo-request [OK]

 

[Routing]

[PC-C1] to [R3], 172.16.20.104 to 10.3.3.3

//[IOS-S10] Don’t use split tunneling, or includes 10.3.3.3 in the split tunneling ACL

  • [PC-C1] Route via DEFAULT route to 172.16.0.1 (interface: Cisco VPN Adapter)
    • IPsec VPN encapsulation
    • 1.22.22 to 1.1.10.10
    • IPsec VPN decapsulation
  • [IOS-S10] Route via EIGRP route to 11.11.11.11 (interface: Virtual-Access1)
    • IPsec VPN encapsulation
    • 1.10.10 to 1.1.11.11
    • IPsec VPN decapsulation
  • [IOS-C11] Route via Connected route to 10.3.3.3 (interface: Ethernet0/1)

 

[R3] to [PC-C1], 10.3.3.3 to 172.16.20.104

//[IOS-S10] Redistribute RRI-learned route: 172.16.20.104 via EIGRP redistribute static

  • [R3] Route via DEFAULT (or EIGRP) to 10.3.3.11 (interface: Ethernet0/0)
  • [IOS-C11] Route via External EIGRP route to 10.10.10.10 (interface: Tunnel11)
    • IPsec VPN encapsulation
    • 1.11.11 to 1.1.10.10
    • IPsec VPN decapsulation
  • [IOS-S10] Route via RRI-learned (interface: Virtual-Access2)
    • IPsec VPN encapsulation
    • 1.10.10 to 1.1.22.22
    • IPsec VPN decapsulation

 

*Direct spoke-to-spoke is not supported

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *