1. Home
  2. Cisco Systems
  3. VRF aware IPSEC

VRF aware IPSEC

Hi,

Anyone familiar with VRF aware IPSEC ?

I am trying to establish two tunnels with two sites having overlapping IP addresses. I want to configure all NATing in the Hub router.

I used the following guide but all this is new for me...

formatting link
In my example Site1 is translated with the subnet 172.30.4.0 /24.

(1.1.1.1)PIX-Site1====10.10.4.0/24 / /

2.2.2.0/24====ROUTER(1.1.1.3)===== \\ \\ (1.1.1.2)PIX-Site2====10.10.4.0/24

My first tests was with no VRF and just one site , with a standard config and it worked well.But after adding the VRF part the crypto-map is no longer triggered.

I have debug crypto engine on the router and nothing happens.

Here is part of my router's configuration. Any help would be appreciated. thanks

ip vrf site1 rd 101:1 route-target export 101:1 route-target import 101:1 ! ip vrf site2 rd 102:1 route-target export 102:1 route-target import 102:1 ! ip cef ! ! ! crypto keyring site1 vrf site1 pre-shared-key address 1.1.1.1 key vpnidsite1 crypto keyring site2 vrf site2 pre-shared-key address 1.1.1.2 key vpnidsite2 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp profile site1 vrf site1 keyring site1 match identity address 1.1.1.1 255.255.255.255 crypto isakmp profile site2 vrf site2 keyring site2 match identity address 1.1.1.2 255.255.255.255 ! ! crypto ipsec transform-set 3des-sha ah-sha-hmac esp-3des ! crypto map crymap 1 ipsec-isakmp set peer 1.1.1.1 set transform-set 3des-sha set pfs group2 set isakmp-profile site1 match address 2001 crypto map crymap 2 ipsec-isakmp set peer 1.1.1.2 set transform-set 3des-sha set pfs group2 set isakmp-profile site2 match address 2002 ! ! ! interface Ethernet0 ip address 2.2.2.1 255.255.255.0 ip nat inside ! interface Ethernet1 ip address 1.1.1.3 255.255.255.0 ip nat outside crypto map crymap ! ip nat outside source static network 10.10.4.0 172.30.4.0 /24 vrf site1 ip nat outside source static network 10.10.4.0 172.30.5.0 /24 vrf site2

ip route 0.0.0.0 0.0.0.0 1.1.1.10 ip route vrf site1 10.10.4.0 255.255.255.0 1.1.1.1 global ip route vrf site2 10.10.4.0 255.255.255.0 1.1.1.2 global

! access-list 2001 permit ip 2.2.2.0 0.0.0.255 10.10.4.0 0.0.0.255 log access-list 2002 permit ip 2.2.2.0 0.0.0.255 10.10.4.0 0.0.0.255

Reply to
mcaissie
Loading thread data ...

Is your 1.1.1.0 network MPLS? Or straight Internet?

Also, unlless the Ethernet interfaces are in one of the VRF's, I';m not sure it will work. I've played with VRF-Lite, which is what I think you need, but I can't confirm if your config would work with tweaking.

-Bob

Reply to
Rob

Thanks for your reply

Straight internet

Good hint,

I have

Router#sh ip vrf Name Default RD Interfaces site1 101:1 site2 102:1

So i added, ip vrf forwarding Site1 on the interface and i get something in the debug crypto engine . VPN is not up but at least i have some progress.

One thing is that i can only put one ip vrf forwarding per interface, so i guess i will have to create one sub-interface per site

thanks

I';m

Reply to
mcaissie

I've used "vrf-lite" for one router in my company, and sent each VRF to a seperate Ethernet interface, although this was not IPSEC. To duplicate my config though for your purposes, you'd need a third Ethernet. It's possible you can do VRF with a trunked interface to two separate VLAN's. Put a switch behind it and try that.

Reply to
Rob

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.