Route Based IPsec Site-to-Site VPN

Policy Based Vs Route Based IPsec VPN

Let me differentiate first ,There are two way to deploy IPsec site to site VPN

Policy Based : We need create ACL & Crypto map to match the subnets & interesting traffic then bind crypto map in outer physical interface.if traffic is not match with ACL it will not carry through tunnel.

you can learn Policy base IPsec VPN confgiuration here–> IPSec Site to Site VPN in our last post

Route Based: Its tunnel base need to create Virtual tunnel interface (VTI) or Tunnel interace to carry traffic ,IPsec profile will create no ACL required.

Route Based IPsec VPN Configurations:

Now let me start with one example configuration in EVE-NG LAB Below

In above topology first configure ip address on all interface ,if you need configuration file downalod in last of this post.

Configure isakmp policy ,Transform set and IPsec profile as below

Configure Tunnel interface , change mode to ipsec bydefault is GRE and call ipsec profile

Configure static route for remote site LAN subnet on tunnel & default static router for tunnel ip reachability

IPsec phase-1 is active

Site-B LAB subnet is pingable from Site-A

if you want to downlaod complete LAB configuration , i have uplaoded file in last section of the post

This scenario also called GRE over IPSEC

OSPF Configuration on IPsec Route Base VPN:

Now let me do one other interesting configuration of OSPF on both site to advertise LAN subnet in OSPF through IPsec VPN.

First remove that Static route from tunnel interface & then configure OSPF as below

Advertise LAN & Tunnel subnet in OSPF AREA 0

OSPF neighbor state is full & up with tunnel interface 100

Site-B LAN subnet is learning through OSPF in routing table

This dynamic routing support we cannot achieve through policy base ipsec VPN thats also the main advantage of route base ipsec VPN to perfrom dynamic i-e OSPF,BGP & EIGRP.

Download Configuration File