Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
250
Views
1
Helpful
1
Comments

Implementing IKEv2 VRF aware SVTI

Blue_Bird
VIP
VIP

‎07-31-2025 05:05 AM - edited ‎07-31-2025 05:55 PM

                                                                         Implementing IKEv2 VRF aware SVTI

Introduction

Lab Topology 

IKEv2 vrf Configuration

Verification

Introduction

A Frontdoor VRF (FVRF) is called internet can be defined on the outside/WAN interface; all traffic within this VRF would be encrypted. An Inside VRF (IVRF) is called local would be used for cleartext traffic defined on the interface(s) on the inside of the network. Using FVRF and IVRF, you will be able to isolate both tunnel termination interface and decapsulated  tunneled traffic for simplified WAN routing. IKEv2 SVTI is used encrypt the traffic passing through the tunnel to enhanced security.

Lab-Topology

                      Blue_Bird_0-1753963151104.png

R1 Configuration

Step-1: Define VRF

R1(config)# vrf definition internet

R1(config-vrf)# rd 2:2

R1(config-vrf)# address-family ipv4

R1(config-vrf-af)# exit

R1(config)# vrf definition local

R1(config-vrf)# rd 1:1

R1(config-vrf)#address-family ipv4

R1(config-vrf-af)#exit

R1(config-vrf-af)#exit-address-family

R1(config-vrf)#exit

Step-2: Configure Interfaces

R1(config-if)#interface loopback 1

R1(config-if)#vrf forwarding local

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config)#interface fasteth0/0

R1(config-if)#vrf forwarding internet

R1(config-if)#ip address 1.1.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

Step-3: Configure IKEv2 Proposal

R1(config)#crypto ikev2 proposal proposal-1

R1(config-ikev2-proposal)#encryption aes-cbc-2

R1(config-ikev2-proposal)#encryption aes-cbc-256

R1(config-ikev2-proposal)#integrity sha384

R1(config-ikev2-proposal)#group 14

R1(config-ikev2-proposal)#exit

Step-4: Configure IKEv2 Policy

R1(config)#crypto ikev2 policy policy-1

R1(config-ikev2-policy)#match fvrf internet

R1(config-ikev2-policy)#match address local 1.1.1.1

R1(config-ikev2-policy)#proposal  proposal-1

R1(config-ikev2-policy)#exit

Step-5: Configure IKEv2 Keyring

R1(config)#crypto ikev2 keyring keyring-1

R1(config-ikev2-keyring)#peer any

R1(config-ikev2-keyring-peer)#address 0.0.0.0 0.0.0.0

R1(config-ikev2-keyring-peer)#pre-shared-key cisco@123

R1(config-ikev2-keyring-peer)#exit

Step-6: Configure IKEv2 Profile

R1(config)#crypto ikev2 profile ikev2-profile-R1

R1(config-ikev2-profile)#match fvrf internet

R1(config-ikev2-profile)#match identity remote address 0.0.0.0

R1(config-ikev2-profile)#authentication remote pre-share

R1(config-ikev2-profile)#authentication local pre-share

R1(config-ikev2-profile)#keyring local keyring-1

R1(config-ikev2-profile)#exit

Step-7: Create IPSEC transform set

R1(config)#crypto ipsec transform-set TSET-R1 esp-aes esp-sha-hmac

R1(cfg-crypto-trans)#mode transport

R1(cfg-crypto-trans)#exit

Step-8: Configure IPSEC Profile

R1(config)#crypto ipsec profile ipsec-profile-R1

R1(ipsec-profile)#set ikev2-profile ikev2-profile-R1

R1(ipsec-profile)#set transform-set TSET-R1

R1(ipsec-profile)#exit

Step-9: Configure Tunnel Interface

R1(config)#interface tunnel 1

R1(config-if)#vrf forwarding local

R1(config-if)#ip address 10.1.1.1 255.255.255.0

R1(config-if)#tunnel source 1.1.1.1

R1(config-if)#tunnel destination 1.1.1.2

R1(config-if)#tunnel key 777

R1(config-if)#tunnel vrf internet

R1(config-if)#tunnel protection ipsec profile ipsec-profile-R1

*Jul 28 14:41:58.691: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step-10: Configure Routing (Static/Dynamic)

R1(config)#ip route vrf internet 0.0.0.0 0.0.0.0 1.1.1.2

R1(config)#ip route vrf local 192.168.2.0 255.255.255.0 tunnel1

R2 Configuration

Step-1: Define VRF’s

R2(config)# vrf definition internet

R2(config-vrf)# rd 2:2

R2(config-vrf)# address-family ipv4

R2(config-vrf-af)# exit

R2(config)# vrf definition local

R2(config-vrf)# rd 1:1

R2(config-vrf)#address-family ipv4

R2(config-vrf-af)#exit

R2(config-vrf-af)#exit-address-family

R2(config-vrf)#exit

Step-2: Configure Interfaces

R2(config-if)#interface loopback 1

R2(config-if)#vrf forwarding local

R2(config-if)#ip address 192.168.2.1 255.255.255.0

R2(config)#interface fasteth0/0

R2(config-if)#vrf forwarding internet

R2(config-if)#ip address 1.1.1.2 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

Step-3: Configure IKEv2 Proposal

R2(config)#crypto ikev2 proposal proposal-1

R2(config-ikev2-proposal)#encryption aes-cbc-2

R2(config-ikev2-proposal)#encryption aes-cbc-256

R2(config-ikev2-proposal)#integrity sha384

R2(config-ikev2-proposal)#group 14

R2(config-ikev2-proposal)#exit

Step-4: Configure IKEv2 Policy

R2(config)#crypto ikev2 policy policy-1

R2(config-ikev2-policy)#match fvrf internet

R2(config-ikev2-policy)#match address local  1.1.1.2

R2(config-ikev2-policy)#proposal  proposal-1

R2(config-ikev2-policy)#exit

Step-5: Configure IKEv2 Keyring

R2(config)#crypto ikev2 keyring keyring-1

R2(config-ikev2-keyring)#peer any

R2(config-ikev2-keyring-peer)#address 0.0.0.0 0.0.0.0

R2(config-ikev2-keyring-peer)#pre-shared-key cisco@123

R2(config-ikev2-keyring-peer)#exit

Step-6: Configure IKEv2 Profile

R2(config)#crypto ikev2 profile ikev2-profile-R2

R2(config-ikev2-profile)#match fvrf internet

R2(config-ikev2-profile)#match identity remote address 0.0.0.0

R2(config-ikev2-profile)#authentication remote pre-share

R2(config-ikev2-profile)#authentication local pre-share

R2(config-ikev2-profile)#keyring local keyring-1

R2(config-ikev2-profile)#exit

Step-7: Create IPSEC transform set

R2(config)#crypto ipsec transform-set TSET-R2 esp-aes esp-sha-hmac

R2(cfg-crypto-trans)#mode transport

R2(cfg-crypto-trans)#exit

Step-8: Configure IPSEC Profile

R2(config)#crypto ipsec profile ipsec-profile-R2

R2(ipsec-profile)#set ikev2-profile ikev2-profile-R2

R2(ipsec-profile)#set transform-set TSET-R2

R2(ipsec-profile)#exit

Step-9: Configure Tunnel Interface

R2(config)#interface tunnel 1

R2(config-if)#vrf forwarding local

R2(config-if)#ip address 10.1.1.1 255.255.255.0

R2(config-if)#tunnel source 1.1.1.2

R2(config-if)#tunnel destination 1.1.1.1

R2(config-if)#tunnel key 777

R2(config-if)#tunnel vrf internet

R2(config-if)#tunnel protection ipsec profile ipsec-profile-R2

*Jul 28 14:41:58.691: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step-10: Configure Routing (Static/Dynamic)

R2(config)#ip route vrf internet 0.0.0.0 0.0.0.0 1.1.1.1

R2(config)#ip route vrf local 192.168.1.0 255.255.255.0 tunnel1

Verification

Blue_Bird_1-1753963320681.pngBlue_Bird_2-1753963363630.pngBlue_Bird_3-1753963393382.png

.................................................................................... Thank you very much..! .......................................................................

Comments
Martin L
VIP
VIP
‎07-31-2025 07:30 AM

Thank You for sharing!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents