11-10-2013 12:10 AM - edited 02-21-2020 07:18 PM
Hi Everyone,
Is it possible to use IVRF/VRF setup without VTI? Having hard luck getting it working and not finding many examples on Cisco page.
Did manage to get VTI version working, but not every device supports VTI so need old fashioned direct encap.
Please let me know if you have a better way.
Here is the configuration in my lab, R1 and R2 are directly connected and reachable to eachother:
===========================================================================
R1#
crypto keyring FVRF vrf FVRF-PROVIDER
pre-shared-key address 136.1.18.8 key CISCO
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile IVRF
vrf IVRF-CLIENT
keyring FVRF
match identity address 136.1.18.8 255.255.255.255 FVRF-PROVIDER
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
crypto map VPN 5 ipsec-isakmp
set peer 136.1.18.8
set transform-set 3DES_MD5
set isakmp-profile IVRF
match address LO1_TO_LO3
reverse-route remote-peer 136.1.18.8 static
!
interface Loopback0
ip vrf forwarding IVRF-CLIENT
ip address 150.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip vrf forwarding FVRF-PROVIDER
ip address 136.1.18.1 255.255.255.0
crypto map VPN
!
ip route vrf IVRF-CLIENT 0.0.0.0 0.0.0.0 Ethernet0/0 136.1.18.8
ip route vrf FVRF-PROVIDER 0.0.0.0 0.0.0.0 136.1.18.8
!
ip access-list extended LO1_TO_LO3
permit ip host 150.1.1.1 host 150.1.3.3
R2#
crypto keyring FVRF vrf FVRF-PROVIDER
pre-shared-key address 136.1.18.1 key CISCO
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile IVRF
vrf IVRF-CLIENT
keyring FVRF
match identity address 136.1.18.1 255.255.255.255 FVRF-PROVIDER
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
crypto map VPN 5 ipsec-isakmp
set peer 136.1.18.1
set transform-set 3DES_MD5
set isakmp-profile IVRF
match address LO3_TO_LO1
reverse-route remote-peer 136.1.18.1 static
!
interface Loopback0
ip vrf forwarding IVRF-CLIENT
ip address 150.1.3.3 255.255.255.255
!
interface Ethernet0/0
ip vrf forwarding FVRF-PROVIDER
ip address 136.1.18.8 255.255.255.0
!
ip route vrf IVRF-CLIENT 0.0.0.0 0.0.0.0 Ethernet0/0 136.1.18.1
ip route vrf FVRF-PROVIDER 0.0.0.0 0.0.0.0 136.1.18.1
!
ip access-list extended LO3_TO_LO1
permit ip host 150.1.3.3 host 150.1.1.1
===========================================================================
Thanks in Advance!
11-10-2013 12:15 AM
Here is debug output:
R6#debug crypto isa
Crypto ISAKMP debugging is on
R6#debug crypto ipsec
Crypto IPSEC debugging is on
R6#
R6#
R6#ping vrf IVRF-CLIENT 150.1.3.3 source 150.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
*Oct 27 17:20:38.872: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 136.1.18.1:500, remote= 136.1.18.8:500,
local_proxy= 150.1.1.1/255.255.255.255/256/0,
remote_proxy= 150.1.3.3/255.255.255.255/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 27 17:20:38.872: ISAKMP:(0): SA request profile is IVRF
*Oct 27 17:20:38.873: ISAKMP: Created a peer struct for 136.1.18.8, peer port 500
*Oct 27 17:20:38.873: ISAKMP: New peer created peer = 0xB28F83A8 peer_handle = 0x8000000B
*Oct 27 17:20:38.873: ISAKMP: Locking peer struct 0xB28F83A8, refcount 1 for isakmp_initiator
*Oct 27 17:20:38.873: ISAKMP: local port 500, remote port 500
*Oct 27 17:20:38.873: ISAKMP: set new node 0 to QM_IDLE
*Oct 27 17:20:38.873: ISAKMP:(0):insert sa successfully sa = B29AC780
*Oct 27 17:20:38.873: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Oct 27 17:20:38.873: ISAKMP:(0):Found ADDRESS key in keyring FVRF
*Oct 27 17:20:38.873: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct 27 17:20:38.873: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 27 17:20:38.873: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 27 17:20:38.873: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 27 17:20:38.873: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 27 17:20:38.873: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Oct 27 17:20:38.873: ISAKMP:(0): beginning Main Mode exchange
*Oct 27 17:20:38.873: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 27 17:20:38.873: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R6#
*Oct 27 17:20:48.882: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 27 17:20:48.882: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Oct 27 17:20:48.882: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 27 17:20:48.882: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 27 17:20:48.882: ISAKMP:(0):Sending an IKE IPv4 Packet.
R6#
*Oct 27 17:20:58.888: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 27 17:20:58.888: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Oct 27 17:20:58.888: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 27 17:20:58.888: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 27 17:20:58.888: ISAKMP:(0):Sending an IKE IPv4 Packet.
R6#
*Oct 27 17:21:08.872: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 136.1.18.1:0, remote= 136.1.18.8:0,
local_proxy= 150.1.1.1/255.255.255.255/256/0,
remote_proxy= 150.1.3.3/255.255.255.255/256/0
*Oct 27 17:21:08.872: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 136.1.18.1:500, remote= 136.1.18.8:500,
local_proxy= 150.1.1.1/255.255.255.255/256/0,
remote_proxy= 150.1.3.3/255.255.255.255/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 27 17:21:08.873: ISAKMP: set new node 0 to QM_IDLE
*Oct 27 17:21:08.873: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 136.1.18.1, remote 136.1.18.8)
*Oct 27 17:21:08.873: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 27 17:21:08.873: ISAKMP: Error while processing KMI message 0, error 2.
*Oct 27 17:21:08.897: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 27 17:21:08.897: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Oct 27 17:21:08.897: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 27 17:21:08.897: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE
R6#
*Oct 27 17:21:08.897: ISAKMP:(0):Sending an IKE IPv4 Packet.
R6#
*Oct 27 17:21:18.921: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 27 17:21:18.921: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 27 17:21:18.921: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 27 17:21:18.921: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 27 17:21:18.922: ISAKMP:(0):Sending an IKE IPv4 Packet.
R6#
*Oct 27 17:21:28.928: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 27 17:21:28.928: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Oct 27 17:21:28.928: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 27 17:21:28.928: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 27 17:21:28.928: ISAKMP:(0):Sending an IKE IPv4 Packet.
R6#
*Oct 27 17:21:38.873: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 136.1.18.1:0, remote= 136.1.18.8:0,
local_proxy= 150.1.1.1/255.255.255.255/256/0,
remote_proxy= 150.1.3.3/255.255.255.255/256/0
*Oct 27 17:21:38.935: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 27 17:21:38.935: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 27 17:21:38.936: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 136.1.18.8)
*Oct 27 17:21:38.936: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 136.1.18.8)
R6#
*Oct 27 17:21:38.936: ISAKMP: Unlocking peer struct 0xB28F83A8 for isadb_mark_sa_deleted(), count 0
*Oct 27 17:21:38.936: ISAKMP: Deleting peer node by peer_reap for 136.1.18.8: B28F83A8
*Oct 27 17:21:38.936: ISAKMP:(0):deleting node -772160409 error FALSE reason "IKE deleted"
*Oct 27 17:21:38.936: ISAKMP:(0):deleting node 14805770 error FALSE reason "IKE deleted"
*Oct 27 17:21:38.936: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 27 17:21:38.936: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Oct 27 17:21:38.936: IPSEC(key_engine): got a queue event with 1 KMI message(s)
R6#
11-10-2013 01:41 AM
Mind that you're failing at MM1 MM2, have a look on remote end what's going on in debugs.
VRF aware IPsec cheat sheet for reference:
11-10-2013 02:21 AM
Hi Marcin,
Thanks for your help so far.
R2# debug crypto isa and debug crypto ipsec shows nothing.
R2# debug ip packet shows packets coming from R1.
Seems nothing is triggering ISAKMP on R2, the packets I see are sourced from Eth0/0 on R1, destined to Eth0/0 on R2, that is all.
Checked that link: https://supportforums.cisco.com/docs/DOC-13524 but neither of those configurations work.
If it helps someone, to get VTI tunnel-protection version working from that link, add the following line (tested in lab and have similar setup working in production using loopbacks):
=================================
crypto isakmp profile cust1-ike-prof
vrf internet-vrf
keyring internet-keyring
match identity address 10.1.1.2 255.255.255.255 internet-vrf
isakmp authorization list default
local-address GigabitEthernet0/0
=================================
However in my new situation, the other end is not VTI compatible, so I need the direct encapsulation equivalent...
11-10-2013 06:49 AM
Well if debug ip packet shows those packets arriving but no processed, it can mean several things.
Reload the R2 router if you have not done so, or try removing crypto map from interface this should cause ISAKMP to be re-triggerd to "ON" on this router.
Bad comes to worse, open a TAC case, at least they will see if there is a recive adjacancy and a socket on R2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide