IPSec and routes

In article , snipped-for-privacy@yahoo.com wrote: :I have a successful IPSec connection to my router. When I access to :intenral systems thru this connection, does the router know which :*interface* my IPSec connect to and forward the replied packets thru :that interface or whether it will use the default route.

It just uses routing.

:If I connect ( with VPN ) to the router from fa0/1 then the VPN :connection is sucessful but after that I can not access any internal :system. I turn debug on and it shows me all the replied packets are :forwarded to fa 0/0 which is where the default route points to.

Add in a more specific static route.

:I think the router should forward packets thru interface I have VPN :connection, but it does not in this case.

It doesn't work that way.

:How can I make the router forward the packets thru the interface where :I initiate the VPN connection ?

NAT the -source- address of the packets to an interface-specific IP. The replies will use the automatic 'connected' routes to find their way back to the original interface, where they will be de-natted and sent back to the original host.

This is, you may note, a hack. But I'm not sure what else you expected, considering that you might have the same source/ destination 5-tuple for more than one interface. You could do some amount of multiplexing based upon the sequence-numbers, but that's pretty fragile. There just isn't any good way of "tagging" a packet outside of IP in such a way that the tag will be returned to you transparently without having to rewrite lots and lots of networking code.

Thanks for the clarification. This savess me time not to go the wrong way.

Just did this by adding another crypto map on fa 0/2 for another ip pool and add a static route for this pool.

Again, thanks a lot for the hint.

DT