Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
59
Views
0
Helpful
0
Comments

Implementation of VRF Aware IPSEC (IKEv1) VPN

Blue_Bird
VIP
VIP

‎07-25-2025 03:29 AM - edited ‎07-25-2025 10:41 PM

                                                                                        VRF Aware IPSEC (IKEv1) VPN

Introduction

Lab Topology

Basic Configuration

IPSEC VPN Configuration

Introduction

Virtual Routing and Forwarding (VRF) is a technology for creating separate virtual routers on a single physical router. Router interfaces, routing tables, and forwarding tables are isolated on a VRF by VRF basis and therefore prevent traffic from one VRF interfering with another VRF. Which means VRF allow us to create multiple virtual networks on top single physical network.

As you know, service providers give services to different networks. And these different networks use overlapping IP addressing inside their network. So, how a service provider manage this without a conflict? Service Providers uses VRF for multiple routing instances. By doing this, they connect customer locations without any conflict. From the point of customer view, their locations are connected to the ports of a router.

IPSec (Internet Protocols Security) protocol is used to encrypt the traffic that is passing through these vrf interfaces.

Lab Topology

 

                 Blue_Bird_1-1753438756956.png
R1 Basic configuration
 
Setp-1: Define VRF’s needed
 
R1(config)# vrf definition cust-a

R1(config-vrf)# address-family ipv4

R1(config-vrf-af)# exit-address-family

R1(config-vrf)#vrf definition cust-b

R1(config-vrf)# address-family ipv4

R1(config-vrf-af)# exit-address-family

R1(config-vrf)#exit

Step-2: configure the interfaces in the proper VRFs

R1(config)#interface fastEthernet0/0

R1(config-if)# vrf forwarding cust-b

R1(config-if)# ip address 1.1.1.1 255.255.255.252

R1(config-if)# no shutdown

R1(config)#interface fastEthernet1/0

R1(config-if)# vrf forwarding cust-a

R1(config-if)# ip address 1.1.1.1 255.255.255.252

R1(config-if)# no shutdown

R1(config)#interface fastEthernet2/0

R1(config-if)# vrf forwarding cust-a

R1(config-if)# ip address 192.1.1.1 255.255.255.252

R1(config-if)# no shutdown

R1(config)#interface fastEthernet3/0

R1(config-if)# vrf forwarding cust-b

R1(config-if)# ip address 192.1.1.1 255.255.255.252

R1(config-if)# no shutdown

Step-3: Configure Routing  Protocols (Eigrp)

R1(config)#router eigrp 100

R1(config-router)# address-family ipv4 vrf cust-a autonomous-system 1000

R1(config-router-af)# network 1.1.1.0 0.0.0.3

R1(config-router-af)# network 192.1.1.0 0.0.0.3

R1(config-router-af)# exit-address-family

R1(config-router)# address-family ipv4 vrf cust-b autonomous-system 2000

R1(config-router-af)# network 1.1.1.0 0.0.0.3

R1(config-router-af)# network 192.1.1.0 0.0.0.3

R1(config-router-af)# exit-address-family

R1(config-router)# exit

R2 Basic configuration

Setp-1: Define VRF’s needed

R2(config)#vrf definition cust-a

R2(config-vrf)# address-family ipv4

R2(config-vrf-af)# exit-address-family

R2(config-vrf)#vrf definition cust-b

R2(config-vrf)# address-family ipv4

R2(config-vrf-af)# exit-address-family

Step-2: configure the interfaces in the proper VRFs

R2(config)#interface fastEthernet0/0

R2(config-if)# vrf forwarding cust-b

R2(config-if)# ip address 1.1.1.2 255.255.255.252

R2(config-if)# no shutdown

R2(config-if)#interface fastEthernet1/0

R2(config-if)# vrf forwarding cust-a

R2(config-if)# ip address 1.1.1.2 255.255.255.252

R2(config-if)# no shutdown

R2(config-if)#interface fastEthernet2/0

R2(config-if)# vrf forwarding cust-a

R2(config-if)# ip address 192.1.2.1 255.255.255.252

R2(config-if)# no shutdown

R2(config-if)#interface fastEthernet3/0

R2(config-if)# vrf forwarding cust-b

R2(config-if)# ip address 192.1.2.1 255.255.255.252

R2(config-if)# no shutdown

Step-3: Configure Routing  Protocols (Eigrp)

R2(config)#router eigrp 100

R2(config-router)# address-family ipv4 vrf cust-a autonomous-system 1000

R2(config-router-af)#  network 1.1.1.0 0.0.0.3

R2(config-router-af)#  network 192.1.2.0 0.0.0.3

R2(config-router-af)# exit-address-family

R2(config-router)# address-family ipv4 vrf cust-b autonomous-system 2000

R2(config-router-af)#  network 1.1.1.0 0.0.0.3

R2(config-router-af)#  network 192.1.2.0 0.0.0.3

R2(config-router-af)# exit-address-family

The routers R3,R4,R5 and R6 should be configured with normal interface and routing protocol (eigrp).

 IPSEC (IKEv1) Configuration

R1 Configuration

Step-1: Configure ISAKMP policy

R1(config)#crypto isakmp policy 5

R1(config-isakmp)# encr aes

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# group 19

R1(config-isakmp)# lifetime 28800

R1(config-isakmp)#exit

Step-2: Create Keyrings   since we have to tie the PSK to a vrf, we need keyrings

R1(config)#crypto keyring KR-cust-a vrf cust-a

R1(conf-keyring)#  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco@123

R1(conf-keyring)#crypto keyring KR-cust-b vrf cust-b

R1(conf-keyring)#  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco@123

Step-3: Configure ISAKMP profiles

R1(config)#crypto isakmp profile cust-a-isakmp-profile

R1(conf-isa-prof)#   vrf cust-a

R1(conf-isa-prof)#   keyring KR-cust-a

R1(conf-isa-prof)#   match identity address 0.0.0.0 cust-a

R1(conf-isa-prof)#crypto isakmp profile custb-isakmp-profile

R1(conf-isa-prof)#   vrf cust-b

R1(conf-isa-prof)#   keyring KR-cust-b

R1(conf-isa-prof)#   match identity address 0.0.0.0 cust-b

Step-4: Create Transform Set

R1(config)#crypto ipsec transform-set TFS esp-aes esp-sha-hmac

R1(cfg-crypto-trans)# mode tunnel

Step-5: Configure Access Control List

R1(config)#ip access-list extended 100

R1(config-ext-nacl)#permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255

Step-6: Create Crypto Map   we need one per vrf

R1(config)#crypto map cust-a-CMap isakmp-profile cust-a-isakmp-profile

R1(config)#crypto map cust-a-CMap 10 ipsec-isakmp

R1(config-crypto-map)# set peer 1.1.1.2

R1(config-crypto-map)# set transform-set TFS

R1(config-crypto-map)# match address 100

R1(config-crypto-map)# exit

R1(config)#crypto map cust-b-CMap isakmp-profile custb-isakmp-profile

R1(config)#crypto map cust-b-CMap 10 ipsec-isakmp

R1(config-crypto-map)# set peer 1.1.1.2

R1(config-crypto-map)# set transform-set TFS

R1(config-crypto-map)# match address 100

R1(config-crypto-map)# exit

Step-7: Apply the cryptomap’s to the relevant interfaces

R1(config)#interface fastEthernet1/0

R1(config-if)# crypto map cust-a-CMap

R1(config)#interface fastEthernet0/0

R1(config-if)# crypto map cust-b-CMap

R2 Configuration

Step-1: Configure ISAKMP policy

R2(config)#crypto isakmp policy 5

R2(config-isakmp)# encr aes

R2(config-isakmp)# authentication pre-share

R2(config-isakmp)# group 19

R2(config-isakmp)# lifetime 28800

R2(config-isakmp)#exit

Step-2: Create Keyrings   since we have to tie the PSK to a vrf, we need keyrings

R2(config)#crypto keyring KR-cust-a vrf cust-a

R2(conf-keyring)#  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco@123

R2(conf-keyring)#crypto keyring KR-cust-b vrf cust-b

R2(conf-keyring)#  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco@123

Step-3: Configure ISAKMP profiles

R2(config)#crypto isakmp profile cust-a-isakmp-profile

R2(conf-isa-prof)#   vrf cust-a

R2(conf-isa-prof)#   keyring KR-cust-a

R2(conf-isa-prof)#   match identity address 0.0.0.0 cust-a

R2(conf-isa-prof)#crypto isakmp profile cust-b-isakmp-profile

R2(conf-isa-prof)#   vrf cust-b

R2(conf-isa-prof)#   keyring KR-cust-b

R2(conf-isa-prof)#   match identity address 0.0.0.0 cust-b

R2(conf-isa-prof)#exit

Step-4: Create Transform Set

R1(config)#crypto ipsec transform-set TFS esp-aes esp-sha-hmac

R1(cfg-crypto-trans)# mode tunnel

Step-5: Configure Access Control List

R1(config)#ip access-list extended 100

R1(config-ext-nacl)#permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255

Step-6: Create Crypto Map   we need one per vrf

R2(config)#crypto map cust-a-CMap isakmp-profile cust-a-isakmp-profile

R2(config)#crypto map cust-a-CMap 10 ipsec-isakmp

R2(config-crypto-map)# set peer 1.1.1.1

R2(config-crypto-map)# set transform-set TFS

R2(config-crypto-map)# match address 100

R2(config-crypto-map)# exit

R2(config)#crypto map cust-b-CMap isakmp-profile custb-isakmp-profile

% Profile custb-isakmp-profile not found in configuration

R2(config)#crypto map cust-b-CMap 10 ipsec-isakmp

R2(config-crypto-map)# set peer 1.1.1.1

R2(config-crypto-map)# set transform-set TFS

R2(config-crypto-map)# match address 100

R2(config-crypto-map)# exit

Step-7: Apply the cryptomap’s to the relevant interfaces

R2(config)#interface fastEthernet1/0

R2(config-if)# crypto map cust-a-CMap

R2(config)#interface fastEthernet0/0

R2(config-if)# crypto map cust-b-CMap

 Verification:

Blue_Bird_2-1753439234508.png 
Blue_Bird_3-1753439289486.png

............................................................Thank you very much..! ................................................................................................

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents