08-17-2010 01:19 AM - edited 03-04-2019 09:27 AM
Hello,
Hi would like to set up peer-to-perr VPN connection between 2 VRF (Global and X) with VTI and VRF aware feature.
At the momento I'm using 2 IP on public interface (primary and secondary) that are used as VPN peer for VRF global
IPsec and X vrf IPsec termination, this Because I'm not able to configure the two VRF isakmp/IPsec profile on a single public IP.
Does someone has an ideo how to differnciate the 2 IPsec tunnel without to configure secondary IPs ?
here the config of RTR1 that works with 2 public IP (RTR2 is configured in a simmetric way)...
!
crypto keyring Globalkeyring
pre-shared-key address 1.1.1.3 key cisco
!
crypto keyring Xkeyring
pre-shared-key address 1.1.1.4 key cisco1
!
crypto isakmp profile Global-isakmp
keyring Globalkeyring
match identity address 1.1.1.3 255.255.255.255
keepalive 10 retry 5
crypto isakmp profile X-isakmp
keyring Xkeyring
match identity address 1.1.1.4 255.255.255.255
keepalive 10 retry 5
!
crypto ipsec transform-set TI-Netset1 esp-3des esp-sha-hmac
!
crypto ipsec profile Global-profile
set transform-set TI-Netset1
set isakmp-profile X-isakmp
!
crypto ipsec profile X-profile
set transform-set TI-Netset1
set isakmp-profile X-isakmp
!
!
interface Tunnel506
ip address 10.47.3.101 255.255.255.252
keepalive 1 5
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 1.1.1.3
tunnel protection ipsec profile Global-profile
!
interface Tunnel1506
ip vrf forwarding X
ip address 10.47.229.101 255.255.255.252
keepalive 1 5
tunnel source 1.1.1.2
tunnel mode ipsec ipv4
tunnel destination 1.1.1.4
tunnel protection ipsec profile X-profile
!
!
interface GigabitEthernet0/1
description External
ip address 1.1.1.1 255.255.255.0 secondary
ip address 1.1.1.2 255.255.255.0
duplex auto
speed auto
!
!
10-15-2011 10:44 AM
Did you get this to work?
10-16-2011 02:28 AM
You could use front end vrf with VPN
See the bellow link even if you are using vti not dmvpn still same concept of the tunnel and vrf
Hope this help
If helpful rate
10-17-2011 06:27 AM
Maybe you could help me out . I will explain the situation and what I want to setup:
The configuration needs to be similiar to this Configuration Template but will need a second tunnel included for backup. (**Note: For each tunnel I am required to use a different tunnel source. Each source being a WAN ip address.**)
crypto isakmp policy 1
encryption [ENCRYPTION TYPE]
hash [HASH TYPE]
authentication pre-share
group 2
crypto isakmp key [SECRET] address [REMOTE IP]
!
crypto ipsec transform-set [NAME] [TRANSFORM 1]
mode transport
!
crypto map [MAP NAME] 10 ipsec-isakmp
set peer peer [REMOTE IP ADDRESS]
set transform-set [TRANSFORM-SET NAME]
match address [ACCESS-LIST NUMBER OR NAME]
!
access-list [ACL NUMBER OR NAME] permit gre host
[LOCAL IP] host [REMOTE IP]
!
interface [INTERFACE NAME/NUMBER]
ip address [LOCAL IP]
crypto map [MAP NAME]
!
interface Tunnel0
ip address [LOCAL TUNNEL IP] 255.255.255.252
tunnel source [LOCAL INTERFACE IP]
tunnel destination [REMOTE IP]
!
router bgp [LOCAL AS NUMBER]
neighbor [VZW TUNNEL IP] remote-as 22394
network [INTERNAL NETWORK] mask [MASK]
The are the Requirements given to me from the vendor we are working with:
The IPSec tunnel endpoint and GRE tunnel endpoints must both reside on the same physical customer device.
BGP peering relationship between each Private Network connecting via VPN.
GRE is required because:
Allows for passing non-IP traffic (including Multicast, etc)
Creates a logical WAN Interface (with a /30 customer provided network).
Allows the Enterprise to extend their internal private network to the Wireless Private Network router.
Allows for simple EBGP peering at the GRE tunnel endpoints.
The Enterprise can make changes to their IP addressing without needing to notify Wireless Vendor.
Thanks. Any help would be greatly appreciated. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide