Direct Encap IPSEC using FVRF and IVRF

jphwilliams · ‎11-10-2013

Hi Everyone,

Is it possible to use IVRF/VRF setup without VTI? Having hard luck getting it working and not finding many examples on Cisco page.

Did manage to get VTI version working, but not every device supports VTI so need old fashioned direct encap.

Please let me know if you have a better way.

Here is the configuration in my lab, R1 and R2 are directly connected and reachable to eachother:

===========================================================================

R1#

crypto keyring FVRF vrf FVRF-PROVIDER

pre-shared-key address 136.1.18.8 key CISCO

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp profile IVRF

vrf IVRF-CLIENT

keyring FVRF

match identity address 136.1.18.8 255.255.255.255 FVRF-PROVIDER

!

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac

!

crypto map VPN 5 ipsec-isakmp

set peer 136.1.18.8

set transform-set 3DES_MD5

set isakmp-profile IVRF

match address LO1_TO_LO3

reverse-route remote-peer 136.1.18.8 static

!

interface Loopback0

ip vrf forwarding IVRF-CLIENT

ip address 150.1.1.1 255.255.255.255

!

interface Ethernet0/0

ip vrf forwarding FVRF-PROVIDER

ip address 136.1.18.1 255.255.255.0

crypto map VPN

!

ip route vrf IVRF-CLIENT 0.0.0.0 0.0.0.0 Ethernet0/0 136.1.18.8

ip route vrf FVRF-PROVIDER 0.0.0.0 0.0.0.0 136.1.18.8

!

ip access-list extended LO1_TO_LO3

permit ip host 150.1.1.1 host 150.1.3.3

R2#

crypto keyring FVRF vrf FVRF-PROVIDER

pre-shared-key address 136.1.18.1 key CISCO

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp profile IVRF

vrf IVRF-CLIENT

keyring FVRF

match identity address 136.1.18.1 255.255.255.255 FVRF-PROVIDER

!

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac

!

crypto map VPN 5 ipsec-isakmp

set peer 136.1.18.1

set transform-set 3DES_MD5

set isakmp-profile IVRF

match address LO3_TO_LO1

reverse-route remote-peer 136.1.18.1 static

!

interface Loopback0

ip vrf forwarding IVRF-CLIENT

ip address 150.1.3.3 255.255.255.255

!

interface Ethernet0/0

ip vrf forwarding FVRF-PROVIDER

ip address 136.1.18.8 255.255.255.0

!

ip route vrf IVRF-CLIENT 0.0.0.0 0.0.0.0 Ethernet0/0 136.1.18.1

ip route vrf FVRF-PROVIDER 0.0.0.0 0.0.0.0 136.1.18.1

!

ip access-list extended LO3_TO_LO1

permit ip host 150.1.3.3 host 150.1.1.1

===========================================================================

Thanks in Advance!

jphwilliams · ‎11-10-2013

Here is debug output:

R6#debug crypto isa

Crypto ISAKMP debugging is on

R6#debug crypto ipsec

Crypto IPSEC debugging is on

R6#

R6#ping vrf IVRF-CLIENT 150.1.3.3 source 150.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:

Packet sent with a source address of 150.1.1.1

*Oct 27 17:20:38.872: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 136.1.18.1:500, remote= 136.1.18.8:500,

local_proxy= 150.1.1.1/255.255.255.255/256/0,

remote_proxy= 150.1.3.3/255.255.255.255/256/0,

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Oct 27 17:20:38.872: ISAKMP:(0): SA request profile is IVRF

*Oct 27 17:20:38.873: ISAKMP: Created a peer struct for 136.1.18.8, peer port 500

*Oct 27 17:20:38.873: ISAKMP: New peer created peer = 0xB28F83A8 peer_handle = 0x8000000B

*Oct 27 17:20:38.873: ISAKMP: Locking peer struct 0xB28F83A8, refcount 1 for isakmp_initiator

*Oct 27 17:20:38.873: ISAKMP: local port 500, remote port 500

*Oct 27 17:20:38.873: ISAKMP: set new node 0 to QM_IDLE

*Oct 27 17:20:38.873: ISAKMP:(0):insert sa successfully sa = B29AC780

*Oct 27 17:20:38.873: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Oct 27 17:20:38.873: ISAKMP:(0):Found ADDRESS key in keyring FVRF

*Oct 27 17:20:38.873: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Oct 27 17:20:38.873: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Oct 27 17:20:38.873: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Oct 27 17:20:38.873: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Oct 27 17:20:38.873: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Oct 27 17:20:38.873: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Oct 27 17:20:38.873: ISAKMP:(0): beginning Main Mode exchange

*Oct 27 17:20:38.873: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE

*Oct 27 17:20:38.873: ISAKMP:(0):Sending an IKE IPv4 Packet......

Success rate is 0 percent (0/5)

R6#

*Oct 27 17:20:48.882: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Oct 27 17:20:48.882: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Oct 27 17:20:48.882: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Oct 27 17:20:48.882: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE

*Oct 27 17:20:48.882: ISAKMP:(0):Sending an IKE IPv4 Packet.

R6#

*Oct 27 17:20:58.888: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Oct 27 17:20:58.888: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Oct 27 17:20:58.888: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Oct 27 17:20:58.888: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE

*Oct 27 17:20:58.888: ISAKMP:(0):Sending an IKE IPv4 Packet.

R6#

*Oct 27 17:21:08.872: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 136.1.18.1:0, remote= 136.1.18.8:0,

local_proxy= 150.1.1.1/255.255.255.255/256/0,

remote_proxy= 150.1.3.3/255.255.255.255/256/0

*Oct 27 17:21:08.872: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 136.1.18.1:500, remote= 136.1.18.8:500,

local_proxy= 150.1.1.1/255.255.255.255/256/0,

remote_proxy= 150.1.3.3/255.255.255.255/256/0,

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Oct 27 17:21:08.873: ISAKMP: set new node 0 to QM_IDLE

*Oct 27 17:21:08.873: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 136.1.18.1, remote 136.1.18.8)

*Oct 27 17:21:08.873: ISAKMP: Error while processing SA request: Failed to initialize SA

*Oct 27 17:21:08.873: ISAKMP: Error while processing KMI message 0, error 2.

*Oct 27 17:21:08.897: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Oct 27 17:21:08.897: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Oct 27 17:21:08.897: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Oct 27 17:21:08.897: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE

R6#

*Oct 27 17:21:08.897: ISAKMP:(0):Sending an IKE IPv4 Packet.

R6#

*Oct 27 17:21:18.921: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Oct 27 17:21:18.921: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Oct 27 17:21:18.921: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Oct 27 17:21:18.921: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE

*Oct 27 17:21:18.922: ISAKMP:(0):Sending an IKE IPv4 Packet.

R6#

*Oct 27 17:21:28.928: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Oct 27 17:21:28.928: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Oct 27 17:21:28.928: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Oct 27 17:21:28.928: ISAKMP:(0): sending packet to 136.1.18.8 my_port 500 peer_port 500 (I) MM_NO_STATE

*Oct 27 17:21:28.928: ISAKMP:(0):Sending an IKE IPv4 Packet.

R6#

*Oct 27 17:21:38.873: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 136.1.18.1:0, remote= 136.1.18.8:0,

local_proxy= 150.1.1.1/255.255.255.255/256/0,

remote_proxy= 150.1.3.3/255.255.255.255/256/0

*Oct 27 17:21:38.935: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Oct 27 17:21:38.935: ISAKMP:(0):peer does not do paranoid keepalives.

*Oct 27 17:21:38.936: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 136.1.18.8)

R6#

*Oct 27 17:21:38.936: ISAKMP: Unlocking peer struct 0xB28F83A8 for isadb_mark_sa_deleted(), count 0

*Oct 27 17:21:38.936: ISAKMP: Deleting peer node by peer_reap for 136.1.18.8: B28F83A8

*Oct 27 17:21:38.936: ISAKMP:(0):deleting node -772160409 error FALSE reason "IKE deleted"

*Oct 27 17:21:38.936: ISAKMP:(0):deleting node 14805770 error FALSE reason "IKE deleted"

*Oct 27 17:21:38.936: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Oct 27 17:21:38.936: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Oct 27 17:21:38.936: IPSEC(key_engine): got a queue event with 1 KMI message(s)

R6#

Marcin Latosiewicz · ‎11-10-2013

Mind that you're failing at MM1 MM2, have a look on remote end what's going on in debugs.

VRF aware IPsec cheat sheet for reference:

https://supportforums.cisco.com/docs/DOC-13524

jphwilliams · ‎11-10-2013

Hi Marcin,

Thanks for your help so far.

R2# debug crypto isa and debug crypto ipsec shows nothing.

R2# debug ip packet shows packets coming from R1.

Seems nothing is triggering ISAKMP on R2, the packets I see are sourced from Eth0/0 on R1, destined to Eth0/0 on R2, that is all.

Checked that link: https://supportforums.cisco.com/docs/DOC-13524 but neither of those configurations work.

If it helps someone, to get VTI tunnel-protection version working from that link, add the following line (tested in lab and have similar setup working in production using loopbacks):

=================================

crypto isakmp profile cust1-ike-prof

vrf internet-vrf

keyring internet-keyring

match identity address 10.1.1.2 255.255.255.255 internet-vrf

isakmp authorization list default

local-address GigabitEthernet0/0

=================================

However in my new situation, the other end is not VTI compatible, so I need the direct encapsulation equivalent...

Marcin Latosiewicz · ‎11-10-2013

Well if debug ip packet shows those packets arriving but no processed, it can mean several things.

Reload the R2 router if you have not done so, or try removing crypto map from interface this should cause ISAKMP to be re-triggerd to "ON" on this router.

Bad comes to worse, open a TAC case, at least they will see if there is a recive adjacancy and a socket on R2.