cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
965
Views
10
Helpful
3
Replies

IPSec tunnel inside a VRF on IOS-XE

dodgerfan78
Level 1
Level 1

I am trying to get an ipsec tunnel built using the vrf 1 interface. In other words g2 is in vrf 1 at 10.240.128.6. I want this interface to be used to form the tunnel and also the tunnel itself to be in this vrf. The router is an 8000v in AWS running 17.6.3a and managed by vManage. The relevant config I have is:

 

vrf definition 1
description corp
rd 1:1

!
crypto ikev2 proposal p1-global
encryption aes-cbc-128 aes-cbc-256
integrity sha1 sha256 sha384 sha512
group 14 15 16
!
crypto ikev2 policy policy1-global
match fvrf 1
proposal p1-global
!
crypto ikev2 keyring if-ipsec1-ikev2-keyring
peer if-ipsec1-ikev2-keyring-peer
address 10.240.4.13
pre-shared-key 6 <>
!
!
crypto ikev2 profile if-ipsec1-ikev2-profile
match fvrf any
match identity remote address 10.240.4.13 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local if-ipsec1-ikev2-keyring
lifetime 14400
dpd 10 3 on-demand
no config-exchange request
!
crypto ipsec transform-set if-ipsec1-ikev2-transform esp-gcm 256
mode tunnel
!
crypto ipsec profile if-ipsec1-ipsec-profile
set security-association lifetime kilobytes disable
set security-association replay window-size 512
set transform-set if-ipsec1-ikev2-transform
set pfs group16
set ikev2-profile if-ipsec1-ikev2-profile
!
interface Tunnel100001
description tunnel 1 to Aviatrix LZ
vrf forwarding 1
ip address 169.254.1.2 255.255.255.252
ip mtu 1500
tunnel source GigabitEthernet2
tunnel mode ipsec ipv4
tunnel destination 10.240.4.13
tunnel path-mtu-discovery
tunnel vrf 1
tunnel protection ipsec profile if-ipsec1-ipsec-profile
!
!
interface GigabitEthernet2
description VPN 1 interface
vrf forwarding 1
ip address 10.240.128.6 255.255.255.192
no ip redirects
load-interval 30
negotiation auto
arp timeout 1200
end

However this is not working, I see 2 errors in the logs, this happens when my side starts the exchange:

*Nov 25 04:56:00.433: IKEv2-ERROR:Address type 2954475087 not supported

and this is seen when the other side starts the exchange:

*Nov 25 04:55:55.069: IKEv2-ERROR:(SESSION ID = 412,SA ID = 7):: Failed to receive the AUTH msg before the timer expired

Any ideas what the issue is? I have tunnel vrf 1 on the tunnel since i want that int g2 to be the fvrf.

3 Replies 3

the routing between two Peer is also VRF-aware ?

Thank you for the reply. I was missing a route in vrf 1 to reach the other end, it came up right after configuring it. Thanks!

you are so so welcome

Review Cisco Networking for a $25 gift card