Hi,
Anyone familiar with VRF aware IPSEC ?
I am trying to establish two tunnels with two sites having overlapping IP addresses. I want to configure all NATing in the Hub router.
I used the following guide but all this is new for me...
(1.1.1.1)PIX-Site1====10.10.4.0/24 / /
2.2.2.0/24====ROUTER(1.1.1.3)===== \\ \\ (1.1.1.2)PIX-Site2====10.10.4.0/24My first tests was with no VRF and just one site , with a standard config and it worked well.But after adding the VRF part the crypto-map is no longer triggered.
I have debug crypto engine on the router and nothing happens.
Here is part of my router's configuration. Any help would be appreciated. thanks
ip vrf site1 rd 101:1 route-target export 101:1 route-target import 101:1 ! ip vrf site2 rd 102:1 route-target export 102:1 route-target import 102:1 ! ip cef ! ! ! crypto keyring site1 vrf site1 pre-shared-key address 1.1.1.1 key vpnidsite1 crypto keyring site2 vrf site2 pre-shared-key address 1.1.1.2 key vpnidsite2 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp profile site1 vrf site1 keyring site1 match identity address 1.1.1.1 255.255.255.255 crypto isakmp profile site2 vrf site2 keyring site2 match identity address 1.1.1.2 255.255.255.255 ! ! crypto ipsec transform-set 3des-sha ah-sha-hmac esp-3des ! crypto map crymap 1 ipsec-isakmp set peer 1.1.1.1 set transform-set 3des-sha set pfs group2 set isakmp-profile site1 match address 2001 crypto map crymap 2 ipsec-isakmp set peer 1.1.1.2 set transform-set 3des-sha set pfs group2 set isakmp-profile site2 match address 2002 ! ! ! interface Ethernet0 ip address 2.2.2.1 255.255.255.0 ip nat inside ! interface Ethernet1 ip address 1.1.1.3 255.255.255.0 ip nat outside crypto map crymap ! ip nat outside source static network 10.10.4.0 172.30.4.0 /24 vrf site1 ip nat outside source static network 10.10.4.0 172.30.5.0 /24 vrf site2
ip route 0.0.0.0 0.0.0.0 1.1.1.10 ip route vrf site1 10.10.4.0 255.255.255.0 1.1.1.1 global ip route vrf site2 10.10.4.0 255.255.255.0 1.1.1.2 global
! access-list 2001 permit ip 2.2.2.0 0.0.0.255 10.10.4.0 0.0.0.255 log access-list 2002 permit ip 2.2.2.0 0.0.0.255 10.10.4.0 0.0.0.255