Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
2
Replies

VRF LITE + IPSEC

infotn-cco
Level 1
Level 1

‎08-01-2005 02:08 AM

Hi this conf is VRF LITE + IPSEC. During the test we see the packets don't come back (from a different vrf) to interface with tunnel. We ping from one PC behind the tunnel ip sec (inside the vrf A) to router inside the vrf B (on the same PE). The packets seem to re-enter in the tunnel (by debug ip packet) but they really do not re-enter in the tunnel.

ip vrf B

rd 100:100

route-target export 100:100

route-target import 100:100

route-target import 100:17

!

!

ip vrf A

rd 100:17

route-target export 100:17

route-target import 100:17

route-target import 100:100

!

crypto keyring itea-peer vrf A

pre-shared-key address 172.16.254.110 key pat55200itea

!

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

no crypto isakmp ccm

crypto isakmp profile itea-peer

vrf A

keyring itea-peer

match identity address 172.16.254.110 255.255.255.255 A

local-address Serial3/0

!

crypto ipsec transform-set InfoTn esp-des esp-md5-hmac

!

crypto map Itea 10 ipsec-isakmp

description ITEA

set peer 172.16.254.110

set transform-set InfoTn

set isakmp-profile itea-peer

match address Serv_Itea

!

ip access-list extended Serv_Itea

permit ip any 193.43.34.0 0.0.0.255 log

!

!

interface Serial3/0

ip vrf forwarding A

ip address 172.19.7.17 255.255.255.252

serial restart-delay 0

crypto map Itea

end

!

interface GigabitEthernet0/3

ip vrf forwarding B

ip address 2.2.2.1 255.255.255.252

duplex auto

speed auto

media-type rj45

no negotiation auto

end

Labels:
Preview file
73 KB
0 Helpful
2 Replies 2

infotn-cco
Level 1
Level 1

‎08-01-2005 02:16 AM

you can see from debug the packets come back to correct interface but doesn't arrives to destination:

Flusso1-New#

Aug 1 10:15:50: IP: tableid=6, s=193.43.34.10 (Serial3/0), d=2.2.2.1 (GigabitEthernet0/3), routed via RIB

Aug 1 10:15:50: IP: s=193.43.34.10 (Serial3/0), d=2.2.2.1, len 100, rcvd 4

Aug 1 10:15:50: IP: tableid=6, s=2.2.2.1 (local), d=193.43.34.10 (Serial3/0), routed via FIB

Aug 1 10:15:50: IP: s=2.2.2.1 (local), d=193.43.34.10 (Serial3/0), len 100, sending

Flusso1-New#

PC#ping 2.2.2.1 repeat 1

Type escape sequence to abort.

Sending 1, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:

.

Success rate is 0 percent (0/1)

PC#

0 Helpful

infotn-cco
Level 1
Level 1
In response to infotn-cco

‎08-01-2005 02:53 AM

so you can see ACS match:

Flusso1-New#sh access-lists Serv_Itea

Extended IP access list Serv_Itea

20 permit ip any 193.43.34.0 0.0.0.255 log (4138 matches)

Flusso1-New#

Aug 1 10:51:48: IP: tableid=6, s=193.43.34.10 (Serial3/0), d=2.2.2.1 (GigabitEthernet0/3), routed via RIB

Aug 1 10:51:48: IP: s=193.43.34.10 (Serial3/0), d=2.2.2.1, len 100, rcvd 4

Aug 1 10:51:48: IP: tableid=6, s=2.2.2.1 (local), d=193.43.34.10 (Serial3/0), routed via FIB

Aug 1 10:51:48: IP: s=2.2.2.1 (local), d=193.43.34.10 (Serial3/0), len 100, sending

Flusso1-New#sh access-lists Serv_Itea

Extended IP access list Serv_Itea

20 permit ip any 193.43.34.0 0.0.0.255 log (4139 matches)

Flusso1-New#

0 Helpful
Customers Also Viewed These Support Documents