Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2349
Views
5
Helpful
5
Replies

Multiple IKEv2 VRF VPNs between same source and destination

Go to solution
Andy14
Level 1
Level 1

‎06-10-2021 11:43 AM

Hi

 

My requirement is to implement two VPNs from the same source ISR to the same destination ASA. Each VPN will use a cellular module. The ISR is fitted with two cellular modules.

 

I have a problem where I can’t route IP traffic arriving on an Ethernet interface on my ISR into a VRF VPN. At least I think that is what is happening although I don’t know how to confirm this. I have two VRF VPNs and IP traffic is hitting my local network but the IP responses are not going back down the VRF VPN. There are loopback interfaces on the ISR: Each in it’s appropriate VRF. The IP responses are working from the both loopback devices.

 

Further details:

 

  1. I am running an ISR with 2 cellular modules.

  2. I have created two IKEv2 VPNs from the ISR to a single ASA. This is for resilience over different cellular networks.

  3. Each VPN uses a VRF to allow them to co-exist and route traffic correctly. Each VPN carries traffic for it’s own subnet. There are two subnets; one for each VPN.

  4. There are two loopback interfaces; each residing in the VRF for that VPN.

  5. IP traffic arrives from each cellular network and is sent out the LAN based Ethernet interface.

  6. Hosts on the LAN respond. The IP traffic is sent to the ISR but it doesn’t arrive at the remote ASA.

  7. On the ISR I have two loopback interfaces, for testing, where each resides in the same VRF as the VPN it corresponds to. All is working with the loopback interfaces on the ISR. The remote ASA receives and IP ICMP response from each of these.

  8. For historic reasons I have not used a VTI. I am using crypto maps. That said the VPN aspect all seems to work.

  9. I am using twice NAT on each of the ASAs to provide separate routes.

 

network.png

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Andy14
Level 1
Level 1

‎06-30-2021 06:39 AM

Hi and thank you for your response.

I resolved the issue in the end.

  1. I am using an IPSec tunnel on each cellular interface.
  2. Each IPSec tunnel resides in its own VRF.
  3. What I needed to do was add a route-map.
  4. When the LAN traffic match the ACL in the route-map I would set the VRF.

It's now all working perfectly.

 

Thank you for your response.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎06-10-2021 05:01 PM

same destination i think the ISKAMP is failed. 

0 Helpful

Go to solution
Andy14
Level 1
Level 1
In response to MHM Cisco World

‎06-10-2021 11:11 PM

Both IKEv2s are present. Each IPSEC LAN is active and related to its own cellular interface. The test loopback interfaces for each LAN can be pinged from the remote end by choosing the appropriate destination. Traffic is sent from the router for each VPN. Therefore the VPNs are all working correctly.

 

The issue is the traffic going back into the router?

0 Helpful

Go to solution
nagrajk1969
Spotlight
Spotlight

‎06-29-2021 08:08 PM

Hi

Is your network deployment as in attached schematic????

 

If yes:

1. As far as the IPSec Tunnels protecting the VRF-1/VRF-2 to/from LAN-2-network (behind ASA-2) is concerned, i think routing between them thru the 2 ipsec tunnels will work. You have mentioned that it does.

- But although you have defined 2 VRFs, there are NO hosts connected to ISR in those 2 VRFs right? The ISR router is just that - a wan router for ASA-1 right?

 

2. But i think your requirement is to route traffic between LAN1-Nw (behind ASA-1) and LAN-2-nw (behind ASA-2) and these should flow thru the 2 IPsec tunnels between ISR and ASA-2????am i right in my understanding??

 

3. If point-2 is yes...then i dont understand how does the 2 VRFs fit in...????? 

 

Can you please elaborate further with some details on:

a) Is there a ipsec tunnel between ASA-1 and ISR (on the ethernet interface connecting each other)?

b) What are the actual ip subnets configured for VRF1, VRF2, LAN1 and LAN2????

c) What is the ipsec policies configured for each of the 2 IPsec tunnels between ISR and ASA-2

d) From the deployment diagram posted by you and my schematic, i dont understand how do you intend to bind the 2 VRFs to  lan-1 network of ASA-1...???

 

 

 

Preview file
23 KB
0 Helpful

Go to solution
Andy14
Level 1
Level 1

‎06-30-2021 06:39 AM

Hi and thank you for your response.

I resolved the issue in the end.

  1. I am using an IPSec tunnel on each cellular interface.
  2. Each IPSec tunnel resides in its own VRF.
  3. What I needed to do was add a route-map.
  4. When the LAN traffic match the ACL in the route-map I would set the VRF.

It's now all working perfectly.

 

Thank you for your response.

0 Helpful

Go to solution
etehis267
Level 1
Level 1

‎10-09-2021 02:55 PM - edited ‎10-18-2021 09:15 AM

I did some thing comparable or Webex Control Hub and idea it become a completely neat experience. I look ahead to sharing my comments here, and to peer what the destiny may hold as soon as the studies is conducted and understood.

0 Helpful
Customers Also Viewed These Support Documents