Hi all,

I have a problem with a configuration using crypto maps and vrf-lite.

My router has 3 logical interfaces

- two of them (WAN_GLOBAL, LAN_GLOBAL) belong to the global routing table

- one (LAN_VRF) belongs to a VRF MyVRF

Interesting addresses in MyVRF (behind interface LAN_VRF) are statically natted to global routing table addresses so that communication is possible between the global routing table and the VRF. This configuration is working fine.

Unfortunately in my scenario all the traffic coming from a VRF natted address and going to a remote destination needs to be tunneled using IPsec to a remote peer so I added a crypto map to the WAN_GLOBAL interface.

The problem is that the router completely ignores all traffic originated behind the VRF interface even if a matching access-list entry is associated with the crypto map. All other interesting traffic originated behing global routing table interfaces is correctly matched and encrypted.

It seems that packets coming from a vrf interface are treated differently even after they have been "moved" to the global routing table and natted.

Is this an unexpected behaviour or I'm missing something?

The configuration I used is a classic crypto map configuration like this :

! *** Incomplete configuration ***

ip access-list ext VPN

! Interesting traffic from a global routing table interface

permit ip host 10.0.0.1 host 10.255.0.1 ! ... this works

! Interesting traffic from the VRF interface

! (source address is the NAT address not the original VRF address)

permit ip host 10.1.0.1 host 10.255.0.1 ! ... this one is not matched

!

crypto isakmp key ... address ...

crypto map CM perm 10 ipsec-isakmp

set peer ...

set transform-set TS

match address VPN

!

interface <WAN_GLOBAL>

ip nat outside

crypto map CM

!

interface <LAN_VRF>

ip nat inside

ip vrf forwarding MyVRF

!

...

Thank you very much in advance for your help.

Regards,

Alessandro