1. Home
  2. Cisco Systems
  3. IPSec VPN with fVRF iVRF on 2801

IPSec VPN with fVRF iVRF on 2801

I am trying to get an IPSec VPN working on a 2801 (C2801-ADVIPSERVICESK9-M, Version 12.4(4)T). We are using different VRFs for the Front & Internal side of the VPN. Phase 1 establishes OK, but then Phase 2 fails with an error message.

Does anyone have any ideas, as far as I can tell I have it configured as per an example I found yesterday on Cisco's website?

See below for debug output & config.

NB - I have replaced all public IPs with private 10 addressing. Our

2801 actually has the address 172.31.16.248 which is NAT'ted from it's public address on a PIX we have in front of the router. Apart from this NAT, the PIX does nothing to this traffic & passes it all through to our router.

035104: Jun 1 14:43:35: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 172.31.16.248, remote=10.10.10.10, local_proxy= 172.22.215.0/255.255.255.224/0/0 (type=4), remote_proxy= 10.10.10.10/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

035105: Jun 1 14:43:35: IPSEC(crypto_ipsec_process_proposal): no IPSEC cryptomap exists for local address 172.31.16.248

Config:

//START ! ip vrf VRF-front rd 65400:1 route-target export 65400:1 route-target import 65400:1 ! ip vrf VRF-internal rd 65400:2 route-target export 65400:2 route-target import 65400:2 ! crypto keyring KEYRING vrf VRF-front pre-shared-key address 10.10.10.10 key ThisIsNotTheKey ! crypto isakmp profile ISKAMP-PROFILE vrf VRF-internal keyring KEYRING match identity address 10.10.10.10 255.255.255.255 VRF-front ! crypto map VPNMAP 10 ipsec-isakmp set peer 10.10.10.10 set security-association lifetime seconds 28800 set transform-set ESP-AES-SHA set isakmp-profile ISKAMP-PROFILE match address ACL ! interface FastEthernet0/1 description "Internet facing interface" ip vrf forwarding VRF-front ip address 172.31.16.248 255.255.255.0 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly no mop enabled crypto map VPNMAP ! ip route vrf VRF-front 0.0.0.0 0.0.0.0 172.31.16.1 ip route vrf VRF-internal 10.10.10.10 255.255.255.255 FastEthernet0/1

172.31.16.1 ! ip access-list extended ACL permit ip host 10.10.10.10 172.22.215.0 0.0.0.31 permit ip host 10.10.10.10 10.164.0.0 0.0.255.255 ! //END
Reply to
Al
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.