cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

261
Views
0
Helpful
16
Replies
Highlighted
VIP Mentor

Re: Site2Site: ACL are not installed, IPSec SA are fine

Hello Udo,

 

thanks for the update. So you are using VTIs now with IPSec profiles ? Would you mind posting the final, working configuration, for future reference ?

udo Beginner
Beginner

Re: Site2Site: ACL are not installed, IPSec SA are fine

Hi Georg.

 

Yes i can prost it here. I found the solution after days of reading issues and posts about "VRF-Aware IPSec VPN". But all was complicated and many things you don't need. I am a admin who love simple and clear configurations that do what i want, not more.

 

You don't need VTI. Because you need to change the remote side too because of lack of pre shared key, you need in a plain Crypto Map and ACL setup. You also dnt need such OSPF or BGP or RIP routing monsters to do the simple thing i am tried to achive.

 

I only use the VRF vzb as a route engine as it is. This mechanism still works on a ASR1002X to push the protected traffic thru the tunnel. Benefit is a separation of crypto traffic in a virtual instance you miss in pure ACL based routing (which definitively not work on a ASR1002X). Because i love simple but complete examples here my actual config. Stripped another VPN partner and the Dialup VPN. 

 

The BOLD parts are statements i added in comparison to the original C2821 config without VRF. Keyring needs to changed to original crypto isakmp key <secretkey> address <peer-ip> for each peer.

 

aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
aaa session-id common
!
ip vrf vzb
!
ip name-server <nameserver ips>
!
crypto keyring vzb vrf vzb 
  pre-shared-key address <peerip-ldn> key <secretkey>
  pre-shared-key address <peerip-dtm> key <secretkey>
  pre-shared-key address <peerip-ams> key <secretkey>
!
no crypto isakmp default policy
!
crypto isakmp policy 3
 encr aes 256
 hash sha256
 authentication pre-share
 group 14 
 lifetime 3600
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 60 periodic
crypto isakmp nat keepalive 30
!
crypto isakmp profile vzb-ike-prof
   vrf vzb
   keyring vzb
   match identity address <peerip-ldn> 255.255.255.255 
   match identity address <peerip-dtm> 255.255.255.255 
   match identity address <peerip-ams> 255.255.255.255 
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ipcom esp-3des esp-md5-hmac 
 mode tunnel
!
crypto map CRYMAP local-address GigabitEthernet0/0/1
crypto map CRYMAP 1 ipsec-isakmp 
 description VzB DTM
 set peer <peerip-dtm>
 set transform-set ipcom 
 set pfs group2
 set isakmp-profile vzb-ike-prof
 match address VZB-DTM
 reverse-route
crypto map CRYMAP 2 ipsec-isakmp 
 description VzB AMS
 set peer <peerip-ams>
 set transform-set ipcom 
 set pfs group2
 set isakmp-profile vzb-ike-prof
 match address VZB-AMS
 reverse-route
crypto map CRYMAP 3 ipsec-isakmp 
 description VzB LND
 set peer <peerip-ldn>
 set transform-set ipcom 
 set pfs group2
 set isakmp-profile vzb-ike-prof
 match address VZB-LDN
 reverse-route
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip vrf forwarding vzb
 ip address <our-peer-ip> 255.255.255.192
 no ip redirects
 negotiation auto
 crypto map CRYMAP
!
interface GigabitEthernet0/0/2
 ip address <defaultip-router> 255.255.255.240
 no ip redirects
 negotiation auto
 ipv6 nd ra suppress
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/4
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/5
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 10.10.10.251 255.255.255.0
 negotiation auto
!
ip forward-protocol nd
ip http server
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 1 
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 <uplink-gatewayip>
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.10.10.1
ip route vrf vzb 0.0.0.0 0.0.0.0 <gw-ip-our-peer-net>
!
ip access-list extended VZB-AMS
 permit ip <local-protected-net> 0.0.0.255 <remote-protected-net-ams> 0.0.0.31
ip access-list extended VZB-DTM
 permit ip <local-protected-net> 0.0.0.255 <remote-protected-netdtm> 0.0.0.31
ip access-list extended VZB-LDN
 permit ip <local-protected-net> 0.0.0.255 <remote-protected-net-ldn> 0.0.0.31
!
!
control-plane
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 session-timeout 35000 
!
transport type persistent webui input https-webui
!
ntp source GigabitEthernet0/0/2
ntp server <ntp-server-ip>
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end

Hope this will help anybody who migrate an old IOS-VPN-Aggregator to an IOS-XE ASR and prevent Administrator-Suicide :).

 

Best,

Udo

View solution in original post

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards