11-05-2007 03:47 PM
Dear All,
Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?
I am trying to implement this feature on a PE which has MPLS enabled
on the Internet facing interface.
With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.
I will be really grateful for any comment or any pointers for what could
be possibly wrong with the configuration below:
!
aaa new-model
!
aaa authentication login USER-AUTHENTICATION local
aaa authorization network GROUP-AUTHORISATION local
!
crypto keyring test-1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group test-1
key test-1
domain test.com
pool cpe-1
acl 101
!
crypto isakmp profile test-1
vrf test-1
keyring test-1
match identity group test-1
client authentication list USER-AUTHENTICATION
isakmp authorization list GROUP-AUTHORISATION
client configuration address initiate
client configuration address respond
client configuration group test-1
!
crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
!
ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
!
crypto dynamic-map test-1 1
set transform-set test-1
set isakmp-profile test-1
reverse-route remote-peer
!
Internet facing interface
----------------------------
interface GigabitEthernet4/0/0
ip address x.x.x.x 255.255.255.240
ip router isis
mpls ip
crypto map IPSEC-AWARE-VRF
Customer facing interface
---------------------------
interface GigabitEthernet1/0/0.1
encapsulation dot1Q 100
ip vrf forwarding test-1
ip address 110.110.110.1 255.255.255.0
Kind regards,
ZH
Solved! Go to Solution.
11-12-2007 02:44 PM
Try disabling CEF in the physical interface or remove the subinterface from the same vrf as the crypto map. There is a bug regarding this CSCeb65521.
11-12-2007 02:44 PM
Try disabling CEF in the physical interface or remove the subinterface from the same vrf as the crypto map. There is a bug regarding this CSCeb65521.
11-13-2007 03:12 AM
Million thanks for this.
This now works after disabling CEF on the public facing interface.
Regards,
Zahid
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide