08-26-2010 01:54 AM - edited 03-04-2019 09:33 AM
Hello I'd like to set up a VTI with fvrf in non global vrf and ivrf in global one.
Is it possible to have VTI tunnel source/desctination on non global vrf in IPsec mode ?
here the config and the error on perr configured in symmetrical way ...
!
crypto ikev2 proposal prop-1
encryption 3des
integrity md5
group 2
!
crypto ikev2 policy pol-1
match fvrf internet
proposal prop-1
!
crypto ikev2 keyring v2-kr1
peer abc
address 1.1.1.252
pre-shared-key abc
!
crypto ikev2 profile prof
match fvrf internet
match identity remote address 1.1.1.252 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring v2-kr1
ivrf global
!
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
!
crypto ipsec profile ipsecprof
set transform-set trans
set ikev2-profile prof
!
!
interface GigabitEthernet0/1
description Internet
ip vrf forwarding internet
ip address 1.1.1.244 255.255.255.0
duplex auto
speed auto
!
interface Tunnel506
ip address 10.47.3.101 255.255.255.252
keepalive 1 5
tunnel source 1.1.1.244
tunnel mode ipsec ipv4
tunnel destination 1.1.1.252
tunnel protection ipsec profile ipsecprof
!
*Aug 26 10:45:42.779: IKEv2:% Getting preshared key from profile keyring v2-kr1
*Aug 26 10:45:42.779: IKEv2:% Getting preshared key by address 1.1.1.244
*Aug 26 10:45:42.779: IKEv2:% Matched peer block 'abc'
*Aug 26 10:45:42.779: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.252
*Aug 26 10:45:42.779: IKEv2:Policy pol-1 cannot be picked due to fvrf mismatch
*Aug 26 10:45:42.779: IKEv2:No Matching policy with fvrf 0, local addr 1.1.1.252
*Aug 26 10:45:42.779: IKEv2:Failed to initiate sa
02-10-2012 09:02 PM
I know this is a very old post but I'd like to answer it anyway for future use since it pops up at the top of a google search for vti fvrf.
The key is to specify your fvrf on your tunnel interface. For instance:
interface Tunnel 506
ip address 10.47.3.101 255.255.255.252
keepalive 1 5
tunnel source 1.1.1.244
tunnel mode ipsec ipv4
tunnel destination 1.1.1.252
tunnel vrf internet
tunnel protection ipsec profile ipsecprof
This will specify the vrf that your tunnel source and destination are in.
Since there is no "vrf forwarding" command on your tunnel506, then the tunneled traffic will be in your global vrf.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide