cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
975
Views
0
Helpful
6
Replies

VRF Aware DVTI and PKI

Hi,

i´ve try to get an dynamic VTI with VRF Aware on the HUB Router and PKI for Authentication.

My Problem is, that Phase1 works fine, but Phase2 doesn´t came up.

debug crypto isakmp

Feb  7 09:46:09.439: ISAKMP:(20175): IPSec policy invalidated proposal with error 32

Feb  7 09:46:09.439: ISAKMP:(20175): phase 2 SA policy not acceptable! (local a.b.c.d remote e.f.g.h)

The proposals are OK.

Here are the config parts.

crypto isakmp profile P1
   ca trust-point VPN
   match certificate CERMAP1
   virtual-template 11

crypto ipsec profile P1

set transform-set AES256

set isakmp-profile P1

interface Virtual-Template11 type tunnel

vrf forwarding <VRF Name>

ip unnumbered Loopback0

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel vrf OUTSIDE_VTI

tunnel protection ipsec profile P1

Have any one of you a working configuration with this parameters or an idea, what i can do ?

The Virtual-Template Interface ist up/down and no interface virtual-acces was created.

Many Thanks !!!

6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Look back to phase 1 debugs, did you chose the (isakmp) profile you're indicating?

M.

Here the output....

An yes, I think that he choose the right one.....

Feb 7 16:38:07.594: ISAKMP (20274): received packet from a.b.c.d dport 4500 sport 29919 OUTSIDE_VTI (R) QM_IDLE

Feb 7 16:38:07.594: ISAKMP: set new node -437034498 to QM_IDLE

Feb 7 16:38:07.594: ISAKMP:(20274): processing HASH payload. message ID = 3857932798

Feb 7 16:38:07.594: ISAKMP:(20274): processing SA payload. message ID = 3857932798

Feb 7 16:38:07.594: ISAKMP:(20274):Checking IPSec proposal 1

Feb 7 16:38:07.594: ISAKMP: transform 1, ESP_AES

Feb 7 16:38:07.594: ISAKMP: attributes in transform:

Feb 7 16:38:07.594: ISAKMP: encaps is 3 (Tunnel-UDP)

Feb 7 16:38:07.594: ISAKMP: SA life type in seconds

Feb 7 16:38:07.594: ISAKMP: SA life duration (basic) of 3600

Feb 7 16:38:07.594: ISAKMP: SA life type in kilobytes

Feb 7 16:38:07.594: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

Feb 7 16:38:07.598: ISAKMP: authenticator is HMAC-SHA

Feb 7 16:38:07.598: ISAKMP: key length is 256

Feb 7 16:38:07.598: ISAKMP:(20274):atts are acceptable.

Feb 7 16:38:07.598: ISAKMP:(20274): IPSec policy invalidated proposal with error 32

Feb 7 16:38:07.598: ISAKMP:(20274): phase 2 SA policy not acceptable! (local e.f.g.h remote a.b.c.d)

Feb 7 16:38:07.598: ISAKMP: set new node 1982743819 to QM_IDLE

Feb 7 16:38:07.598: ISAKMP:(20274):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 573410632, message ID = 1982743819

Feb 7 16:38:07.598: ISAKMP:(20274): sending packet to a.b.c.d my_port 4500 peer_port 13358 (R) QM_IDLE

Feb 7 16:38:07.598: ISAKMP:(20274):Sending an IKE IPv4 Packet.

Feb 7 16:38:07.598: ISAKMP:(20274):purging node 1982743819

Feb 7 16:38:07.598: ISAKMP:(20274):deleting node -437034498 error TRUE reason "QM rejected"

Feb 7 16:38:07.598: ISAKMP:(20274):Node 3857932798, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Feb 7 16:38:07.598: ISAKMP:(20274):Old State = IKE_QM_READY New State = IKE_QM_READY

RTR#

Feb 7 16:38:07.598: ISAKMP (20274): received packet from a.b.c.d dport 4500 sport 29919 OUTSIDE_VTI (R) QM_IDLE

Feb 7 16:38:07.598: ISAKMP:(20274): phase 2 packet is a duplicate of a previous packet.

Feb 7 16:38:07.598: ISAKMP:(20274): retransmitting due to retransmit phase 2

Feb 7 16:38:07.598: ISAKMP:(20274): ignoring retransmission,because phase2 node marked dead 1070690835

You showed phase 2 not phase 1 ;]

Edited for clarity:

We want to see if remote identity was matched by

crypto isakmp profile P1

This is the output from debug crypto isakmp....

Feb 7 18:41:37.048: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (N) NEW SA

Feb 7 18:41:37.048: ISAKMP: Created a peer struct for a.b.c.d, peer port 500

Feb 7 18:41:37.048: ISAKMP: New peer created peer = 0x3D83A580 peer_handle = 0x8000025B

Feb 7 18:41:37.048: ISAKMP: Locking peer struct 0x3D83A580, refcount 1 for crypto_isakmp_process_block

Feb 7 18:41:37.048: ISAKMP: local port 500, remote port 500

Feb 7 18:41:37.048: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2107EC78

Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Feb 7 18:41:37.048: ISAKMP:(0): processing SA payload. message ID = 0

Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947

Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7

Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3

Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2

Feb 7 18:41:37.048: ISAKMP : Scanning profiles for xauth ... RTR2

Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)

Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)

Feb 7 18:41:37.048: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

Feb 7 18:41:37.048: ISAKMP: encryption AES-CBC

Feb 7 18:41:37.048: ISAKMP: keylength of 256

Feb 7 18:41:37.048: ISAKMP: hash SHA

Feb 7 18:41:37.048: ISAKMP: default group 2

Feb 7 18:41:37.048: ISAKMP: auth RSA sig

Feb 7 18:41:37.048: ISAKMP: life type in seconds

Feb 7 18:41:37.048: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Feb 7 18:41:37.048: ISAKMP:(0):atts are acceptable. Next payload is 0

Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:actual life: 0

Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:life: 0

Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa vpi_length:4

Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer a.b.c.d)

Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer a.b.c.d)

Feb 7 18:41:37.048: ISAKMP:(0):Returning Actual lifetime: 86400

Feb 7 18:41:37.048: ISAKMP:(0)::Started lifetime timer: 86400.

Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947

Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7

Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3

Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2

Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Feb 7 18:41:37.048: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Feb 7 18:41:37.048: ISAKMP:(0): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_SA_SETUP

Feb 7 18:41:37.048: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Feb 7 18:41:37.088: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (R) MM_SA_SETUP

Feb 7 18:41:37.092: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Feb 7 18:41:37.092: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Feb 7 18:41:37.092: ISAKMP:(0): processing KE payload. message ID = 0

Feb 7 18:41:37.092: ISAKMP:(0): processing NONCE payload. message ID = 0

Feb 7 18:41:37.092: ISAKMP:(20308): processing CERT_REQ payload. message ID = 0

Feb 7 18:41:37.092: ISAKMP:(20308): peer wants a CT_X509_SIGNATURE cert

Feb 7 18:41:37.092: ISAKMP:(20308): peer wants cert issued by cn=RTR1,o=company,c=de

Feb 7 18:41:37.092: Choosing trustpoint VPN as issuer

Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload

Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is DPD

Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload

Feb 7 18:41:37.092: ISAKMP:(20308): speaking to another IOS box!

Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload

Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID seems Unity/DPD but major 28 mismatch

Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is XAUTH

Feb 7 18:41:37.092: ISAKMP:received payload type 20

Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT

Feb 7 18:41:37.092: ISAKMP:received payload type 20

Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT

Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM3

Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.092: ISAKMP (20308): constructing CERT_REQ for issuer cn=RTR1,o=company,c=de

Feb 7 18:41:37.092: ISAKMP:(20308): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_KEY_EXCH

Feb 7 18:41:37.092: ISAKMP:(20308):Sending an IKE IPv4 Packet.

Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM4

Feb 7 18:41:37.164: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) MM_KEY_EXCH

Feb 7 18:41:37.164: ISAKMP:(20308):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Feb 7 18:41:37.164: ISAKMP:(20308):Old State = IKE_R_MM4 New State = IKE_R_MM5

Feb 7 18:41:37.164: ISAKMP:(20308): processing ID payload. message ID = 0

Feb 7 18:41:37.164: ISAKMP (20308): ID payload

next-payload : 6

type : 2

FQDN name : RTR2.customer.de

protocol : 17

port : 0

length : 30

Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles

Feb 7 18:41:37.164: ISAKMP:(20308): processing CERT payload. message ID = 0

Feb 7 18:41:37.164: ISAKMP:(20308): processing a CT_X509_SIGNATURE cert

Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.164: ISAKMP:(20308): peer's pubkey is cached

Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles

Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.168: ISAKMP:(20308): Unable to get DN from certificate!

Feb 7 18:41:37.168: ISAKMP:(20308): processing SIG payload. message ID = 0

Feb 7 18:41:37.168: ISAKMP:(20308): processing NOTIFY INITIAL_CONTACT protocol 1

spi 0, message ID = 0, sa = 0x2107EC78

Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:

authenticated

Feb 7 18:41:37.168: ISAKMP:(20308):SA has been authenticated with a.b.c.d

Feb 7 18:41:37.168: ISAKMP:(20308):Detected port floating to port = 20962

Feb 7 18:41:37.168: ISAKMP: Trying to find existing peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI

Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:

authenticated

Feb 7 18:41:37.168: ISAKMP:(20308): Process initial contact,

bring down existing phase 1 and 2 SA's with local e.f.g.h remote a.b.c.d remote port 20962

Feb 7 18:41:37.168: ISAKMP: Trying to insert a peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI, and inserted successfully 3D83A580.

Feb 7 18:41:37.168: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Feb 7 18:41:37.168: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_R_MM5

Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.168: ISAKMP:(20308):My ID configured as IPv4 Addr, but Addr not in Cert!

Feb 7 18:41:37.168: ISAKMP:(20308):Using FQDN as My ID

Feb 7 18:41:37.168: ISAKMP:(20308):SA is doing RSA signature authentication using id type ID_FQDN

Feb 7 18:41:37.168: ISAKMP (20308): ID payload

next-payload : 6

type : 2

FQDN name : RTR1.company.de

protocol : 17

port : 0

length : 26

Feb 7 18:41:37.168: ISAKMP:(20308):Total payload length: 26

Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.172: ISAKMP:(20308): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)

Feb 7 18:41:37.172: ISAKMP (20308): constructing CERT payload for hostname=RTR1.company.de,cn=RTR1,o=company,c=DE

Feb 7 18:41:37.172: ISAKMP:(20308): using the VPN trustpoint's keypair to sign

Feb 7 18:41:37.176: ISKAMP: growing send buffer from 1024 to 3072

Feb 7 18:41:37.176: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) MM_KEY_EXCH

Feb 7 18:41:37.180: ISAKMP:(20308):Sending an IKE IPv4 Packet.

Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Feb 7 18:41:37.180: ISAKMP:(20308): IKE->PKI End PKI Session state (R) QM_IDLE (peer a.b.c.d)

Feb 7 18:41:37.180: ISAKMP:(20308): PKI->IKE Ended PKI session state (R) QM_IDLE (peer a.b.c.d)

Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 7 18:41:37.208: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) QM_IDLE

Feb 7 18:41:37.208: ISAKMP: set new node -1302683506 to QM_IDLE

Feb 7 18:41:37.212: ISAKMP:(20308): processing HASH payload. message ID = 2992283790

Feb 7 18:41:37.212: ISAKMP:(20308): processing SA payload. message ID = 2992283790

Feb 7 18:41:37.212: ISAKMP:(20308):Checking IPSec proposal 1

Feb 7 18:41:37.212: ISAKMP: transform 1, ESP_AES

Feb 7 18:41:37.212: ISAKMP: attributes in transform:

Feb 7 18:41:37.212: ISAKMP: encaps is 3 (Tunnel-UDP)

Feb 7 18:41:37.212: ISAKMP: SA life type in seconds

Feb 7 18:41:37.212: ISAKMP: SA life duration (basic) of 3600

Feb 7 18:41:37.212: ISAKMP: SA life type in kilobytes

Feb 7 18:41:37.212: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

Feb 7 18:41:37.212: ISAKMP: authenticator is HMAC-SHA

Feb 7 18:41:37.212: ISAKMP: key length is 256

Feb 7 18:41:37.212: ISAKMP:(20308):atts are acceptable.

Feb 7 18:41:37.212: ISAKMP:(20308): IPSec policy invalidated proposal with error 32

Feb 7 18:41:37.212: ISAKMP:(20308): phase 2 SA policy not acceptable! (local e.f.g.h remote a.b.c.d)

Feb 7 18:41:37.212: ISAKMP: set new node -809943149 to QM_IDLE

Feb 7 18:41:37.212: ISAKMP:(20308):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 573410632, message ID = 3485024147

Feb 7 18:41:37.212: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) QM_IDLE

Feb 7 18:41:37.212: ISAKMP:(20308):Sending an IKE IPv4 Packet.

Feb 7 18:41:37.212: ISAKMP:(20308):purging node -809943149

Feb 7 18:41:37.212: ISAKMP:(20308):deleting node -1302683506 error TRUE reason "QM rejected"

Feb 7 18:41:37.164: ISAKMP:(20308): processing ID payload. message ID = 0

Feb 7 18:41:37.164: ISAKMP (20308): ID payload

next-payload : 6

type : 2

FQDN name : RTR2.customer.de

protocol : 17

port : 0

length : 30

Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles

Feb 7 18:41:37.164: ISAKMP:(20308): processing CERT payload. message ID = 0

Feb 7 18:41:37.164: ISAKMP:(20308): processing a CT_X509_SIGNATURE cert

Fix the problem with isakmp profile not being mateched and you will be one step onwards :-)

Hi,

when I´ve posted the information I´ve see the problem. I´ve fixed it. I´ve change the cermap that the cermap only match the hostname.

Now the IPSEC SA came up, but the Hub side don´t send any Packet into the tunnel.

I´ve tried two different configurations....

The first configuration I´ve tried::

interface Virtual-Template11 type tunnel

vrf forwarding CustomerVRF

ip address 10.255.255.17 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 7 1234

ip ospf network broadcast

ip ospf mtu-ignore

ip ospf 300 area 2

tunnel mode ipsec ipv4

tunnel vrf OUTSIDE_VTI

tunnel protection ipsec profile P1

With this configuration the Virtual-Access Interface came UP but isn´t in any VRF.

The Secondconfiguration I´ve tried:

Interface loopback0

vrf forwarding CustomerVRF

ip address 10.255.255.17 255.255.255.252

interface Virtual-Template11 type tunnel

vrf forwarding CustomerVRF

ip unnumbered Loopback0

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 7 1234

ip ospf network broadcast

ip ospf mtu-ignore

ip ospf 300 area 2

tunnel mode ipsec ipv4

tunnel vrf OUTSIDE_VTI

tunnel protection ipsec profile P1

With this configuration, the Virtual-Access Interface came UP into the right VRF but I can´t also ping the spoke side tunnel interface. I´ve that their wasn´t send any packet into the tunnel.

Any Idea ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: