VPN network of my Enterprise is build using Cisco VTI IPSec technology. At least 50% build over Internet.

My VPN Hub now have many interface's. The key one is LAN interface Gigabit1, WAN Internet Gigabit2 interface and MPLS Gigabit3 interface (CE no label). I want to rebuild my router with vrf. I want to move Gigabit2(Internet) to separate vrf Internet and keep LAN interface (Gigabit1) and MPLS (Gigabit3) interface as is.

Now I have.

Int Gigabit1

Desc LAN

Ip address YYY.YYY.YYY.YYY

Int Gigabit2

Desc Inet

Ip address XXX.XXX.XXX.XXX

Interface tunnel 123

ip unnumbered Lo123

tunnel source Gigabit2

tunnel destination SOME.INTERNET.REAL.IP

tunnel mode ipsec ipv4

tunnel protection ipsec profile Tun-ipsec-profile

I want

ip vrf Internet

rd 1:1000

Int Gigabit1

Desc LAN

Ip address YYY.YYY.YYY.YYY

Int Gigabit2

Desc Inet

ip vrf forwarding Internet

Ip address XXX.XXX.XXX.XXX

Interface tunnel 123

ip unnumbered Lo123

tunnel source Gigabit2

tunnel destination SOME.INTERNET.REAL.IP

tunnel mode ipsec ipv4

tunnel vrf Internet

tunnel protection ipsec profile Tun-ipsec-profile

==

Can I use tunnel vrf Internet in production with IPSec VTI technology? I have find command tunnel vrf in GRE sample. Will tunnel vrf work with IPSec VTI in future IOS release?

Can also put "tunnel vrf Internet"

in

"interface Virtual-Template1 type tunnel"

section?

If answer is YES I got one more question:

=========

Can I use “crypto pki server” with this configuration?

When my VPN Hub configured with no VRF, I can connect to http server port 80 on any of interface's Gigabit1, Gigabit2 and Gigabit3 and get certificates from PKI server. When I move Gigabit2 to vrf Internet I cannot connect to Gigabit2's ip address on port 80 from Internet and so get certificate to autch IPSec session.

==

Sorry my %% English.

Thanks for answer Sergiy.