Cisco IOS Easy VPN

Configuring Tunnel Default Gateway Implementations

  • Viewing Options

  • PDF (94.0 KB)
  • Feedback


This document discusses Cisco ® tunnel default gateway implementations that are available as part of a Cisco EasyVPN/DMVPN solution. Currently, there is no easy way for customers to have traffic that terminates on VPN tunnels go through one default gateway, while all other traffic (Internet Key Exchange [IKE], for example) uses a different default gateway. This requirement is common and this paper discusses the best ways to implement this on most Cisco IP Security (IPsec) VPN devices, primarily routers.

Problem Description

The tunnel default gateway is needed to let the internal firewall and router handle the routing for all decrypted IPsec packets. Today, after a Cisco IOS ® EasyVPN Client connects to a Cisco IOS EasyVPN Server, there is no simple way for the client to send the tunnel traffic to the internal corporate network (other than to have the entire routing table on the IPsec gateway). In this type of implementation, the Cisco IOS routers use the default gateway to route all packets toward the Internet that do not have a more specific route. The tunnel default gateway gives customers the flexibility to control how they handle IPsec tunneled traffic. Once traffic coming in from a remote site is decrypted and ready to go out to the Internet, that traffic would first need to go through the internal firewall/corporate router for Network Address Translation (NAT) and firewall inspection. This is shown in Figure 1.

Figure 1. Topology

Cisco IOS Solution

Cisco IOS Software offers two solutions to provide tunnel default gateway capability: policy-based routing and virtual routing and forwarding.

Policy-Based Routing

Policy-based routing (PBR) works in a simple way. If we can define the traffic with an access control list (ACL), we can create a PBR route map, which sends traffic matched by the ACL to the specified next hop. The PBR route map should apply to the interface where "interesting" traffic enters the router. This is a simpler implementation and is recommended for small and medium-sized customers. As PBR now uses Cisco Express Forwarding switching, the impact on the router CPU should be minimal. Following is a configuration that implements a tunnel default gateway using PBR


In this configuration example, all the remote subnets are in the range (i.e., We can define PBR route maps for traffic sourcing from headed to anywhere and set the next hop to, which is our inside corporate firewall interface. Make sure you have the appropriate route inside statements on your firewalls to return traffic appropriately.
access-list 100 permit ip any
route-map VPN-INTERNET permit 10
match ip address 100
set ip next-hop (toward the firewall)
interface FastEthernet1/1
ip address
no ip redirects
duplex full
speed 100
crypto map MY-VPN
ip policy route-map VPN-INTERNET
interface Vlan1
ip address
no ip redirects
crypto map MY-VPN
ip policy route-map VPN-INTERNET
Traffic that terminates on either F1/1 or Vlan1 (the interfaces where the crypto map is applied) will show a source address representative of the remote site's internal networks (i.e. and and would get forwarded to the firewall after decryption.

Virtual Routing and Forwarding

Using virtual routing and forwarding (VRF) instances, the customer would still have a default route in the global routing table so that the IKE and IPsec signature authorities can be built. The first step is to create a "dummy" VRF and then define a default gateway within the VRF. Once the decrypted packets are mapped into the VRF instance, there is another default route that points toward the corporate firewall side. Reverse route injects a static route in the VRF routing table, which can be redistributed by the routing protocol running between this box and the corporate network as a host route or an aggregate summary of the pool. The configuration needed to achieve this is complex, and is best suited for enterprise and service provider customers. This solution has worked well in the service provider space due to the familiarity with VRFs in general, but customers without VRF knowledge can still use this configuration -- no Multiprotocol Label Switching (MPLS) knowledge is required.


Here, we configure the dummy VRFs on the Cisco IOS routers to route the tunneled traffic toward the inside corporate firewall/router.
Create a dummy VRF
ip vrf coke
rd 100:1
Define ISAKMP profile and associate the specific dummy VRF to it
crypto isakmp profile coke-ra
match identity group coke
vrf coke (associate the dummy vrf within the isakmp profile)
client authentication list authenlist
isakmp authorization list authorlist
client configuration address respond
accounting coke
Define the dynamic crypto map and bind it to the overall crypto map
crypto dynamic-map dynamic-coke 1
set transform-set transform-coke
set isakmp-profile coke-ra
reverse-route remote-peer
crypto map vpn 11 ipsec-isakmp dynamic dynamic-coke
ip local pool coke
Apply the crypto map to the Internet-facing outside interface
interface FastEthernet1/1
ip address
crypto map vpn
Set Default route in the global table pointing toward the Internet gateway for IKE and IPsec SAs to be built
ip route
Configure corporate-facing inside interface
interface FastEthernet1/0
ip vrf forwarding coke
ip address
crypto map vpn
Set default route in the VRF pointing toward the inside corporate gateway for other traffic
ip route vrf coke

Cisco VPN 3000 Series and Cisco ASA 5500 Series Configuration

This section addresses the Cisco VPN 3000 Series and Cisco ASA 5500 Series configuration for the tunnel default gateway feature, which completes the implementation for all Cisco Easy VPN servers.

Cisco VPN 3000 Series Solution

Configure the default gateways for your system.

Table 1. Configuring the Default Gateways




Default Gateway

Enter the IP address of the default gateway or router. Enter for no default router (Internet-facing).



Enter the metric, from 1 to 16.

Tunnel Default Gateway

Enter the IP address of the default gateway or router for tunnels. Enter for no default router (corporate-facing).

Cisco ASA 5500 Series Solution

Users can enter static routes in the same format as Cisco PIX ® to configure routes. Users will have the option to configure two default gateways, one with a "tunneled" option and one without. All traffic that arrives at the appliance and cannot be routed using learned routes or static routes will be routed through default gateways. If the traffic was encrypted when it initially arrived at the appliance, it will be routed through Default Tunnel Gateway (DTGW); otherwise, it will be routed through Default Gateway (DGW). A set of default gateways can be installed for each virtual context.
The IP routing subsystem routes data packets first using learned routes, then static routes, then the default gateway. If a default gateway is not configured, packets that cannot be routed to another host will be dropped. Also, a tunnel default gateway is specified, which is a separate default gateway for tunneled traffic only. A switch to let the default gateways learned through routing protocols override the configured default gateways is provided through the usage of floating metric. If a static route needs to be overridden by a route found by a routing protocol, it is specified with a maximum possible metric. In that case, when a route is found by Routing Information Protocol (RIP) or Open Shortest Path First (OSPF), it overrides the statically configured route.
Modification to existing CLI command when using Cisco ASA:
route <if_name> <gateway> [<metric>] [tunneled]