cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3681
Views
0
Helpful
2
Comments
Manoj Buddhika
Level 1
Level 1

vrf aware ipsec with ppoe peer.JPGVrf Aware IPSec with dynamic peer. Peer is getting its internet facing interfaces ip address from a ppoe server.Here I attached configs and diagram. This can simulate a multiple customer VPN environment.

Hope this will help somebody

Here is configs

spokeA#
spokeA#show run
spokeA#show running-config
Building configuration...

Current configuration : 1729 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname spokeA
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key VPN address 10.10.1.1
!
!
crypto ipsec transform-set T-SET esp-3des esp-sha-hmac
!
crypto map VPNA 10 ipsec-isakmp
set peer 10.10.1.1
set transform-set T-SET
match address 101
!
archive
log config
  hidekeys
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname cisco
ppp chap password 0 sisco
ppp pap sent-username cisco password 0 sisco
crypto map VPNA
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

spokeA#

========================================================================================================

ppoeserver#show run
ppoeserver#show running-config
Building configuration...

Current configuration : 1280 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ppoeserver
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco password 0 sisco
!
!
controller ISA 1/1
!
!
!
!
bba-group pppoe global
virtual-template 1
!
!
interface GigabitEthernet0/0
ip address 11.11.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
no negotiation auto
pppoe enable group global
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 10.10.1.2 255.255.255.252
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 10.10.2.2 255.255.255.252
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface Virtual-Template1
mtu 1492
ip unnumbered GigabitEthernet0/0
peer default ip address pool pppoepool
ppp authentication pap chap
!
ip local pool pppoepool 12.12.1.2 12.12.1.254
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end

ppoeserver#

====================================================================================================

hub#
hub#show run
hub#show running-config
Building configuration...

Current configuration : 2279 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hub
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip vrf customerA
description Customer A
!
ip vrf customerB
description Customer B
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
crypto keyring customerA-vpn vrf customerA
  pre-shared-key address 0.0.0.0 0.0.0.0 key VPN
crypto keyring customerB-vpn vrf customerB
  pre-shared-key address 0.0.0.0 0.0.0.0 key VPN
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile customerA
   vrf customerA
   keyring customerA-vpn
   match identity address 0.0.0.0 customerA
crypto isakmp profile customerB
   vrf customerB
   keyring customerB-vpn
   match identity address 11.11.2.0 255.255.255.0 customerB
!
!
crypto ipsec transform-set T-SET esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAPA 10
set transform-set T-SET
set isakmp-profile customerA
match address 101
!
!
crypto map VPNA 10 ipsec-isakmp dynamic DYNMAPA
!
archive
log config
  hidekeys
!
!
!
!
!
interface Loopback1
ip vrf forwarding customerA
ip address 192.168.100.1 255.255.255.0
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
no ip address
duplex auto
speed auto
!
interface FastEthernet0.10
description Connected to Customer A
encapsulation dot1Q 10
ip vrf forwarding customerA
ip address 10.10.1.1 255.255.255.252
crypto map VPNA
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route vrf customerA 0.0.0.0 0.0.0.0 10.10.1.2
ip route vrf customerB 0.0.0.0 0.0.0.0 10.10.2.2
ip http server
no ip http secure-server
!
!
!
access-list 101 remark **Site-to-site VPN for Customer A & B**
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

hub#

=====================================================================================================

Comments
ar
Level 1
Level 1

Hi.

I'm trying the same config.

Except my external interface is global and not a member of a VRF.

I'm getting an error of:

*Feb 18 16:51:51.287: IPSEC(ipsec_process_proposal): proxy identities not supported

*Feb 18 16:51:51.291: ISAKMP:(1006): IPSec policy invalidated proposal with error 32

*Feb 18 16:51:51.295: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 172.16.1.2 remote 172.16.1.1)

*Feb 18 16:51:51.311: ISAKMP:(1006):deleting node 1735213473 error TRUE reason "QM rejected"

Here's my config:

Remote Router:

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key vpn1 address 172.16.1.2

!

!

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

!

crypto map vpn1 1 ipsec-isakmp

set peer 172.16.1.2

set transform-set vpn1

match address 101

!

!

!

!

!

!

interface Loopback10

ip address 10.2.0.1 255.255.255.0

!

interface FastEthernet0/0

no ip address

shutdown

duplex half

!

interface FastEthernet1/0

description WAN-to-Internet

ip address 172.16.1.1 255.255.255.252

duplex auto

speed auto

crypto map vpn1

!

ip route 0.0.0.0 0.0.0.0 172.16.1.2

!

access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255

!

!

!

VPN Concentrator / PE:

crypto keyring vpn2

  pre-shared-key address 0.0.0.0 0.0.0.0 key vpn1

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp profile vpn2

   vrf vpn2

   keyring vpn2

   match identity address 0.0.0.0

crypto ipsec transform-set vpn2 esp-3des esp-sha-hmac

crypto dynamic-map dynamap 10

set transform-set vpn2

set isakmp-profile vpn2

match address 102

crypto map vpn 10 ipsec-isakmp dynamic dynamap

interface Loopback20

ip vrf forwarding vpn2

ip address 10.1.0.1 255.255.255.0

interface FastEthernet1/0

description WAN

ip address 172.16.1.2 255.255.255.252

duplex auto

speed auto

crypto map vpn

access-list 102 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

ip route vrf vpn2 10.2.0.0 255.255.0.0 172.16.1.1 global

But I noticed when I used static crpyto maps instead of dynamic peers, its working!

any suggestions?

thanks

ar
Level 1
Level 1

Thanks for sharing. Good info.

What about using a single Global IP (no vrf) at the HUB router for vpn peering?

Then all spoke will peer to that IP then map the IPSEC into the corresponding vrf matching the pre-shared key?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: