Do you like the solutions to the L2TP default routing problem? If you do, the ASR 1000 definitely doesn’t share your opinion; so far it’s impossible to configure a working combination of L2TP, IPSec (described in the original post) and PBR or VRFs:
PBR on virtual templates: doesn’t work.
Virtual template interface in a VRF: IPSec termination in a VRF doesn’t work.
L2TP interface in a VRF: This one was closest to working. In some software releases IPSec started, but the L2TP code was not (fully?) VRF-aware, so the LNS-to-LAC packets used global routing table. In other software releases IPSec would not start.
In short, a reasonable (although a bit kludgy) design that has been working for years on a 7200-series router is impossible to implement on an ASR 1000.
Before you start bashing Cisco, remember that ASR implements most of the packet forwarding process in hardware. While it’s very simple to stack together numerous randomly-selected features in a software implementation, it’s hard to do the same on a streamlined hardware platform.
Developing custom hardware is also way more expensive than writing a few more lines of C code. When designing a hardware implementation, one is thus temped to implement only the most commonly used combinations of features (or the features used by the biggest customers). If you happen to be relying on a rarely used set of features, you’re bound to have interesting problems.
With this in mind, it looks like you have only two options when deploying a device with hardware-assisted switching:
Minimize the number of features used by the device to an absolute minimum. This is not always a realistic option as you might be forced to increase the device count in your network (ASRs could be successfully deployed in our sample network if you’re willing to split L2TP termination and IPSec termination). You’re also left wondering why you’ve paid the premium for all the features you can’t use concurrently.
Work with someone who understands the device’s caveats and restrictions. If you’ve just started deploying new hardware in your network, you cannot be expected to know all its intricacies (although I’m positive your PHB thinks otherwise). Make heavy use of people who have done a similar job before. Engage Cisco’s Professional Services or a highly knowledgeable system integration partner (I wouldn’t even try to use resellers competing solely on low prices) that has extensive in-house lab facility (so they could stress-test the design before implementing it in your network).