You are correct Philip, I do not need any communication between the two VRF's/clients and there are no shared subnets for them in the colo. The client's generally have VM's dedicated to them that we isolate onto their own dedicated VLans.

Hello,

As far as I know, VTI is not a GRE tunnel and it should work with generic IPsec. Have you tried it in a lab?

Masoud

Sadly, I have been getting yanked into project after project for the last couple months and by the time I get to my needed R&D time; my brain refuses to simply compute much other than what it already knows. Trying to brain-storm on how to make this work without an example to translate over has me running in circles lately and it is driving me bonkers.

I did find this link earlier:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

And you are certainly correct; I believe that using the commands:

tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI

instead of the GRE commands on the tunnel interface is more along the lines of what originally had in mind.

I think Philip likely went the crypto map right since VTI to CM based VPN is hit or miss at best depending on the vendor on the client side. The configuration seems perfectly straight-forward from the VTI standpoint but without the guarantee of an IOS based device at the other end; crypto map style configuration is a lot more likely to work with vendor XYZ IPsec.

Basically you need something like the below.  Vlanxx is the internal hosted subnet.  Gigabit0/0 is the interface facing the internet.  a.b.c.d is your outside IP address.

ip vrf client1

interface Vlanxx
 ip vrf forwarding client1
 ip address ...

crypto keyring kr-client1
 pre-shared-key address <client vpn concentrator> key xxx

crypto isakmp profile isakmp-client1
 vrf client1
 keyring kr-client1
 match identity address <client vpn concentrator> 255.255.255.255 
 local-address a.b.c.d

crypto map cm-cryptomap xxx ipsec-isakmp 
 set peer <client vpn concentrator>
 set transform-set ...
 set isakmp-profile isakmp-client1
 match address xxx
 reverse-route remote-peer a.b.c.d static

interface GigabitEthernet0/0
 crypto map cm-cryptomap

Thanks Phil!

I believe I am following the logic but it seems more "simple" than I had imagined (this is a good thing). Could also be my drained brain from the long days and I completely missed something but we'll see. Depending what I have easier access to after normal working hours tomorrow, I am going to either lab this or test in QA. Topology is drastically simplified compared to production but this allows me to limit the number of devices needed for testing purposes.

Based on the diagram I attached in the original post, I am going to be testing with a config similar to the attached. I purged the fat and used the IP's from my original diagram for verification.

Cheers.

That NAT config won't work like that.  Get just the VPN bit working first.

To provide Internet access as well you will have to NAT into the global VRF from each client VRF.

Good to know, I don't need NAT/PAT for this test so I can certainly just tear that portion out for now. Thanks for the heads up to avoid the stumble.

I had some issues getting this config to work Philip but looks like it is mainly my only option after crashing & burning on attempting to get a VTI based VRF aware IPsec tunnel up to a non-cisco device (cm based ipsec would have worked fine if my theory is correct). I will be back at troubleshooting to get this to work, not sure why it wasn't working first time around but looks like I need to get back at your method if I am going to stand any chance at this.

VTI's seldom work to non-Cisco boxes.  You'll need to use crypto maps.

What was the end result here?  Looking at a similar architecture.