Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
66
Views
0
Helpful
0
Comments

Implementing IKEv2 VRF aware Crypto Map VPN

Blue_Bird
VIP
VIP

on ‎08-02-2025 07:04 AM

                                                                    Implementing IKEv2 VRF aware Crypto Map VPN

Introduction

Lab Topology

IKEv2 VRF aware Crypto Map VPN Configuration

Verification

Introduction:

In this article, we are going to configure a VRF aware Crypto Map VPN on Cisco IOS-XE routers. A Front-door VRF called FVRF will be used for the interface connected to the internet/WAN side, this VRF has a default route and all encrypted traffic will be communicated over this interface. An Inside VRF called INSIDE has the internal network routes, that contains the clear-text traffic (before encryption). A Crypto Map VPN will be established to an IOS router or an ASA device.

Lab Topology

                      Blue_Bird_0-1754037338899.png

IKEv2 VRF aware Crypto Map VPN Configuration

R1 Configuration

Step-1: Define VRF’s

R1(config)#vrf definition FVRF

R1(config-vrf)#address-family ipv4

R1(config-vrf-af)#exit-address-family

R1(config-vrf)#vrf definition INSIDE

R1(config-vrf)#address-family ipv4

R1(config-vrf-af)#exit-address-family

R1(config-vrf)#exit

Step-2: Configure Interfaces

R1(config)#interface fastethernet0/0

R1(config-if)#vrf forwarding FVRF

R1(config-if)#ip address 1.1.1.1 255.255.255.0

R1(config-if)#interface loopback 0

R1(config-if)#vrf forwarding INSIDE

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

Step-3: Configure IKEv2 Proposal

R1(config)#crypto ikev2 proposal IKEv2-PROPOSAL-R1

R1(config-ikev2-proposal)#encryption aes-cbc-256 aes-cbc-128

R1(config-ikev2-proposal)#integrity sha256

R1(config-ikev2-proposal)#group 21

R1(config-ikev2-proposal)#exit

Step-4: Create IKEv2 Policy

R1(config)#crypto ikev2 policy IKEv2-POLICY-R1

R1(config-ikev2-policy)#match fvrf FVRF

R1(config-ikev2-policy)#proposal IKEv2-PROPOSAL-R1

R1(config-ikev2-policy)#exit

Step-5: Configure IKEv2 Keyring

R1(config)#crypto ikev2 keyring keyring-1

R1(config-ikev2-keyring)#peer any

R1(config-ikev2-keyring-peer)#address 0.0.0.0 0.0.0.0

R1(config-ikev2-keyring-peer)#pre-shared-key local cisco@123

R1(config-ikev2-keyring-peer)#pre-shared-key remote cisco@123

R1(config-ikev2-keyring-peer)#exit

Step-6: Create IKEv2 Profile

R1(config)#crypto ikev2 profile IKEv2-PROFILE-R1

R1(config-ikev2-profile)#match fvrf FVRF

R1(config-ikev2-profile)#match identity remote address 1.1.1.2

R1(config-ikev2-profile)#identity local address 1.1.1.1

R1(config-ikev2-profile)#authentication remote pre-share

R1(config-ikev2-profile)#authentication local pre-share

R1(config-ikev2-profile)#keyring local keyring-1

R1(config-ikev2-profile)#ivrf INSIDE

R1(config-ikev2-profile)#exit

Step-7: Configure Access Control List

R1(config)#ip access-list extended 101

R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

R1(config-ext-nacl)#exit

Step-8: Create Transform Set

R1(config)#crypto IPsec transform-set TSET-R1 esp-aes esp-sha-hmac

R1(cfg-crypto-trans)#mode tunnel

R1(cfg-crypto-trans)#exit

Step-9 Configure Routing

R1(config)#ip route vrf FVRF 0.0.0.0 0.0.0.0 1.1.1.2

Step-10: Configure Crypto Map and Apply to interface

R1(config)#crypto map CMAP 1 ipsec-isakmp

R1(config-crypto-map)#set peer 1.1.1.2

R1(config-crypto-map)#set transform-set TSET-R1

R1(config-crypto-map)#set ikev2-profile IKEv2-PROFILE-R1

R1(config-crypto-map)#match address 101

R1(config-crypto-map)#reverse-route remote-peer 1.1.1.1 static

R1(config-crypto-map)#exit

R1(config)#interface fastethernet0/0

R1(config-if)#crypto map CMAP

*Jul 31 19:07:44.347: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R2 configuration

Step-1: Define VRF’s

R2(config)#vrf definition FVRF

R2(config-vrf)#address-family ipv4

R2(config-vrf-af)#exit-address-family

R2(config-vrf)#vrf definition INSIDE

R2(config-vrf)#address-family ipv4

R2(config-vrf-af)#exit-address-family

R2(config-vrf)#exit

Step-2: Configure Interfaces

R2(config)#interface fastethernet0/0

R2(config-if)#vrf forwarding FVRF

R2(config-if)#ip address 1.1.1.2 255.255.255.0

R2(config-if)#interface loopback 0

R2(config-if)#vrf forwarding INSIDE

R2(config-if)#ip address 192.168.2.1 255.255.255.0

R1(config-if)#no shutdown

R2(config-if)#exit

Step-3: Configure IKEv2 Proposal

R2(config)#crypto ikev2 proposal IKEv2-PROPOSAL-R2

R2(config-ikev2-proposal)#encryption aes-cbc-256 aes-cbc-128

R2(config-ikev2-proposal)#integrity sha256

R2(config-ikev2-proposal)#group 21

R2(config-ikev2-proposal)#exit

Step-4: Create IKEv2 Policy

R2(config)#crypto ikev2 policy IKEv2-POLICY-R2

R2(config-ikev2-policy)#match fvrf FVRF

R2(config-ikev2-policy)#proposal IKEv2-PROPOSAL-R2

R2(config-ikev2-policy)#exit

Step-5: Configure IKEv2 Keyring

R2(config)#crypto ikev2 keyring keyring-1

R2(config-ikev2-keyring)#peer any

R2(config-ikev2-keyring-peer)#address 0.0.0.0 0.0.0.0

R2(config-ikev2-keyring-peer)#pre-shared-key local cisco@123

R2(config-ikev2-keyring-peer)#pre-shared-key remote cisco@123

R2(config-ikev2-keyring-peer)#exit

Step-6: Create IKEv2 Profile

R2(config)#crypto ikev2 profile IKEv2-PROFILE-R2

R2(config-ikev2-profile)#match fvrf FVRF

R2(config-ikev2-profile)#match identity remote address 1.1.1.1

R2(config-ikev2-profile)#identity local address 1.1.1.2

R2(config-ikev2-profile)#authentication remote pre-share

R2(config-ikev2-profile)#authentication local pre-share

R2(config-ikev2-profile)#keyring local keyring-1

R2(config-ikev2-profile)#ivrf INSIDE

R2(config-ikev2-profile)#exit

Step-7: Configure Access Control List

R2(config)#ip access-list extended 101

R2(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

R2(config-ext-nacl)#exit

Step-8: Create Transform Set

R2(config)#crypto IPsec transform-set TSET-R2 esp-aes esp-sha-hmac

R2(cfg-crypto-trans)#mode tunnel

R2(cfg-crypto-trans)#exit

Step-9 Configure Routing

R2(config)#ip route vrf FVRF 0.0.0.0 0.0.0.0 1.1.1.1

Step-10: Configure Crypto Map and Apply to interface

R2(config)#crypto map CMAP 1 ipsec-isakmp

R2(config-crypto-map)#set peer 1.1.1.1

R2(config-crypto-map)#set transform-set TSET-R2

R2(config-crypto-map)#set ikev2-profile IKEv2-PROFILE-R2

R2(config-crypto-map)#match address 101

R2(config-crypto-map)#reverse-route remote-peer 1.1.1.2 static

R2(config-crypto-map)#exit

R2(config)#interface fastethernet0/0

R2(config-if)#crypto map CMAP

*Jul 31 19:07:44.347: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

 Verification

Blue_Bird_1-1754037698823.pngBlue_Bird_2-1754037728567.pngBlue_Bird_3-1754037760967.pngBlue_Bird_4-1754037791347.png

................................................................................Thank you very much..! ............................................................................

  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents