Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1005
Views
10
Helpful
3
Replies

IPSec tunnel inside a VRF on IOS-XE

dodgerfan78
Level 1
Level 1

‎11-24-2022 09:01 PM

I am trying to get an ipsec tunnel built using the vrf 1 interface. In other words g2 is in vrf 1 at 10.240.128.6. I want this interface to be used to form the tunnel and also the tunnel itself to be in this vrf. The router is an 8000v in AWS running 17.6.3a and managed by vManage. The relevant config I have is:

 

vrf definition 1
description corp
rd 1:1

!
crypto ikev2 proposal p1-global 
encryption aes-cbc-128 aes-cbc-256
integrity sha1 sha256 sha384 sha512
group 14 15 16
!
crypto ikev2 policy policy1-global 
match fvrf 1
proposal p1-global
!
crypto ikev2 keyring if-ipsec1-ikev2-keyring
peer if-ipsec1-ikev2-keyring-peer
address 10.240.4.13
pre-shared-key 6 <>
!
!
crypto ikev2 profile if-ipsec1-ikev2-profile
match fvrf any
match identity remote address 10.240.4.13 255.255.255.255 
authentication remote pre-share
authentication local pre-share
keyring local if-ipsec1-ikev2-keyring
lifetime 14400
dpd 10 3 on-demand
no config-exchange request
!
crypto ipsec transform-set if-ipsec1-ikev2-transform esp-gcm 256 
mode tunnel
!
crypto ipsec profile if-ipsec1-ipsec-profile
set security-association lifetime kilobytes disable
set security-association replay window-size 512 
set transform-set if-ipsec1-ikev2-transform 
set pfs group16
set ikev2-profile if-ipsec1-ikev2-profile
!
interface Tunnel100001
description tunnel 1 to Aviatrix LZ
vrf forwarding 1
ip address 169.254.1.2 255.255.255.252
ip mtu 1500
tunnel source GigabitEthernet2
tunnel mode ipsec ipv4
tunnel destination 10.240.4.13
tunnel path-mtu-discovery
tunnel vrf 1
tunnel protection ipsec profile if-ipsec1-ipsec-profile
!
!
interface GigabitEthernet2
description VPN 1 interface
vrf forwarding 1
ip address 10.240.128.6 255.255.255.192
no ip redirects
load-interval 30
negotiation auto
arp timeout 1200
end

However this is not working, I see 2 errors in the logs, this happens when my side starts the exchange:

*Nov 25 04:56:00.433: IKEv2-ERROR:Address type 2954475087 not supported

and this is seen when the other side starts the exchange:

*Nov 25 04:55:55.069: IKEv2-ERROR:(SESSION ID = 412,SA ID = 7):: Failed to receive the AUTH msg before the timer expired

Any ideas what the issue is? I have tunnel vrf 1 on the tunnel since i want that int g2 to be the fvrf.

Labels:
0 Helpful
3 Replies 3

MHM Cisco World
VIP
VIP

‎11-25-2022 12:05 AM

the routing between two Peer is also VRF-aware ?

dodgerfan78
Level 1
Level 1
In response to MHM Cisco World

‎11-25-2022 06:26 AM

Thank you for the reply. I was missing a route in vrf 1 to reach the other end, it came up right after configuring it. Thanks!

MHM Cisco World
VIP
VIP
In response to dodgerfan78

‎11-25-2022 06:28 AM

you are so so welcome

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card