IPSec VPN with fVRF iVRF on 2801

I am trying to get an IPSec VPN working on a 2801 (C2801-ADVIPSERVICESK9-M, Version 12.4(4)T). We are using different VRFs for the Front & Internal side of the VPN. Phase 1 establishes OK, but then Phase 2 fails with an error message.

Does anyone have any ideas, as far as I can tell I have it configured as per an example I found yesterday on Cisco's website?

See below for debug output & config.

NB - I have replaced all public IPs with private 10 addressing. Our

2801 actually has the address which is NAT'ted from it's public address on a PIX we have in front of the router. Apart from this NAT, the PIX does nothing to this traffic & passes it all through to our router.

035104: Jun 1 14:43:35: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local=, remote=, local_proxy= (type=4), remote_proxy= (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

035105: Jun 1 14:43:35: IPSEC(crypto_ipsec_process_proposal): no IPSEC cryptomap exists for local address


//START ! ip vrf VRF-front rd 65400:1 route-target export 65400:1 route-target import 65400:1 ! ip vrf VRF-internal rd 65400:2 route-target export 65400:2 route-target import 65400:2 ! crypto keyring KEYRING vrf VRF-front pre-shared-key address key ThisIsNotTheKey ! crypto isakmp profile ISKAMP-PROFILE vrf VRF-internal keyring KEYRING match identity address VRF-front ! crypto map VPNMAP 10 ipsec-isakmp set peer set security-association lifetime seconds 28800 set transform-set ESP-AES-SHA set isakmp-profile ISKAMP-PROFILE match address ACL ! interface FastEthernet0/1 description "Internet facing interface" ip vrf forwarding VRF-front ip address ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly no mop enabled crypto map VPNMAP ! ip route vrf VRF-front ip route vrf VRF-internal FastEthernet0/1 ! ip access-list extended ACL permit ip host permit ip host ! //END
Reply to
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.