Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1957
Views
0
Helpful
4
Replies

IPSec multi vrf not working

MysticalTh0r
Level 1
Level 1

‎03-28-2019 04:00 AM - edited ‎02-21-2020 09:36 PM

Hi all,

 

I'd like some help with an scenario I've got. I have two routers ASR 1K which have a VRF on the LAN interface and another VRF on the WAN interface. By configuring route-leaking I can ping from LAN to LAN and works fine. The problem arrises when I try to establish an IPSec session between them. 

I create keyrings and profiles associated to the LAN interfaces but I have to apply the crypto map to the WAN interfaces and doing so IKE phase 1 doesn't find the profile. If, on the other hand, I associate the keyrings and profiles to the WAN VRF, it negotiates fine IKE phase 1 but not phase 2.

 

Is it a software limitation or I might be due to a bug? Any ideas on how to configure it?

Here are the error messages

 

ISAKMP-ERROR: (0):Preshared authentication offered but does not match policy!
ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
ISAKMP-ERROR: (0):no offers accepted!
ISAKMP-ERROR: (0):phase 1 SA policy not acceptable!

 

Thanks,

 

Best regards.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎03-28-2019 09:29 AM

Hi, Please can you post your sanitised configuration
0 Helpful

MysticalTh0r
Level 1
Level 1
In response to Rob Ingram

‎03-29-2019 01:57 AM

Sure, here is the configuration:

 

crypto keyring customer vrf vrf-LAN
pre-shared-key address 0.0.0.0 0.0.0.0 key customer  (here we tested also with the exact ip address too)
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
lifetime 21600
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto isakmp profile PROFILE1
vrf vrf-LAN
keyring customer
match identity address <IP> <MASK> vrf-LAN
keepalive 60 retry 2
crypto ipsec security-association lifetime seconds 18000
crypto ipsec security-association replay disable
crypto ipsec transform-set transform esp-3des esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map CRYPTOMAP local-address GigabitEthernet0/0/0
crypto map CRYPTOMAP 2001 ipsec-isakmp
set peer <IP> <MASK>
set security-association idle-time 200 default
set transform-set transform
set isakmp-profile PROFILE1
match address 2001

interface GigabitEthernet0/0/2
ip vrf forwarding VRF-WAN
ip address <IP> <MASK>
no ip redirects
no ip proxy-arp
crypto map CRYPTOMAP
end

interface GigabitEthernet0/0/0
ip vrf forwarding vrf-LAN
ip address <IP> <MASK>
no ip redirects
ip directed-broadcast
no ip proxy-arp

 

As you can see all which as to do with IPSEC (keyring, profile, etc...) is linked to the LAN VRF (vrf-LAN) but the crypto map is applied to the WAN interface, which is on a differente VRF

0 Helpful

Rob Ingram
VIP
VIP
In response to MysticalTh0r

‎03-29-2019 02:14 AM

Hi, Try the modifications below in bold.

 

crypto keyring customer vrf VRF-WAN
 pre-shared-key address 0.0.0.0 0.0.0.0 key customer

 

crypto isakmp profile PROFILE1
 vrf vrf-LAN
 keyring customer
 match identity address <IP> <MASK> VRF-WAN

 

HTH

0 Helpful

MysticalTh0r
Level 1
Level 1
In response to Rob Ingram

‎03-29-2019 05:20 AM

Hi, 

 

Thanks for the reply. 

 

By doing this it goes through phase 1 but fails phase 2, like it happened to me on similar tests with "mixed" configurations referencing one VRF and the other. The error now is this:

 

ISAKMP-ERROR: (1006):IPSec policy invalidated proposal with error 8
ISAKMP-ERROR: (1006):phase 2 SA policy not acceptable!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents