Showing results for 
Search instead for 
Did you mean: 

IPSec tunnel inside a VRF on IOS-XE


I am trying to get an ipsec tunnel built using the vrf 1 interface. In other words g2 is in vrf 1 at I want this interface to be used to form the tunnel and also the tunnel itself to be in this vrf. The router is an 8000v in AWS running 17.6.3a and managed by vManage. The relevant config I have is:


vrf definition 1
description corp
rd 1:1

crypto ikev2 proposal p1-global
encryption aes-cbc-128 aes-cbc-256
integrity sha1 sha256 sha384 sha512
group 14 15 16
crypto ikev2 policy policy1-global
match fvrf 1
proposal p1-global
crypto ikev2 keyring if-ipsec1-ikev2-keyring
peer if-ipsec1-ikev2-keyring-peer
pre-shared-key 6 <>
crypto ikev2 profile if-ipsec1-ikev2-profile
match fvrf any
match identity remote address
authentication remote pre-share
authentication local pre-share
keyring local if-ipsec1-ikev2-keyring
lifetime 14400
dpd 10 3 on-demand
no config-exchange request
crypto ipsec transform-set if-ipsec1-ikev2-transform esp-gcm 256
mode tunnel
crypto ipsec profile if-ipsec1-ipsec-profile
set security-association lifetime kilobytes disable
set security-association replay window-size 512
set transform-set if-ipsec1-ikev2-transform
set pfs group16
set ikev2-profile if-ipsec1-ikev2-profile
interface Tunnel100001
description tunnel 1 to Aviatrix LZ
vrf forwarding 1
ip address
ip mtu 1500
tunnel source GigabitEthernet2
tunnel mode ipsec ipv4
tunnel destination
tunnel path-mtu-discovery
tunnel vrf 1
tunnel protection ipsec profile if-ipsec1-ipsec-profile
interface GigabitEthernet2
description VPN 1 interface
vrf forwarding 1
ip address
no ip redirects
load-interval 30
negotiation auto
arp timeout 1200

However this is not working, I see 2 errors in the logs, this happens when my side starts the exchange:

*Nov 25 04:56:00.433: IKEv2-ERROR:Address type 2954475087 not supported

and this is seen when the other side starts the exchange:

*Nov 25 04:55:55.069: IKEv2-ERROR:(SESSION ID = 412,SA ID = 7):: Failed to receive the AUTH msg before the timer expired

Any ideas what the issue is? I have tunnel vrf 1 on the tunnel since i want that int g2 to be the fvrf.

3 Replies 3

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

the routing between two Peer is also VRF-aware ?

Thank you for the reply. I was missing a route in vrf 1 to reach the other end, it came up right after configuring it. Thanks!

you are so so welcome

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers