Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2392
Views
5
Helpful
3
Replies

OSPF Routing on a VRF using GRE Tunnel with ISAKMP

Go to solution
Kai Onken
Level 1
Level 1

‎09-16-2011 12:56 PM

Hello,

I'm trying to set up an OSPF Routing on a VRF using GRE Tunnel with ISAKMP encryption.

Nearly everything works fine:

1. OSPF Routing incl. VRF - Perfect

2. OSPF Routing distribution using GRE Tunnel and VRF - Perfect

3. ISAKMP encryption - I think I made one or more mistackes.

On the attaced file you could find Excel sheet, which includes both router configurations and an netzwork scetch.

I would be very happy if somebody could solve my problem or give me a hint.

Thanks very much.

Labels:
Preview file
122 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎09-20-2011 04:07 AM

Hi Kai,

your keyring is not in the correct vrf - note that there is a difference between the FVRF and the IVRF, see

In you case, ISAKMP traffic is sent on/arriving on the F0/1.10 interface so the FVRF is the global vrf, and so the keyring should be in the global vrf.

In other words replace this:

  crypto keyring Customer_10_Keyring vrf   Customer_10

with:

  crypto keyring Customer_10_Keyring

BTW the above document also has a nice example on how to use "tunnel protection", so you don't have to use a crypto map anymore. Actually I'm not 100% if it's supported to do GRE/IPsec with VRFs without using tunnel protection,  so maybe try that if you still have problems.

hth

Herbert

View solution in original post

0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to Kai Onken

‎11-17-2011 01:37 AM

Hi Kai,

do you mean this solved the problem? If so, please mark this thread as "answered" and thanks for providing the working config!.

If not then please clarify the current behavior you see.

regards

Herbert

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎09-20-2011 04:07 AM

Hi Kai,

your keyring is not in the correct vrf - note that there is a difference between the FVRF and the IVRF, see

In you case, ISAKMP traffic is sent on/arriving on the F0/1.10 interface so the FVRF is the global vrf, and so the keyring should be in the global vrf.

In other words replace this:

  crypto keyring Customer_10_Keyring vrf   Customer_10

with:

  crypto keyring Customer_10_Keyring

BTW the above document also has a nice example on how to use "tunnel protection", so you don't have to use a crypto map anymore. Actually I'm not 100% if it's supported to do GRE/IPsec with VRFs without using tunnel protection,  so maybe try that if you still have problems.

hth

Herbert

0 Helpful

Go to solution
Kai Onken
Level 1
Level 1
In response to Herbert Baerten

‎11-17-2011 12:39 AM

Thank you Herbert for the hint.

For all other users you can find the configuration here:

Preview file
200 KB

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to Kai Onken

‎11-17-2011 01:37 AM

Hi Kai,

do you mean this solved the problem? If so, please mark this thread as "answered" and thanks for providing the working config!.

If not then please clarify the current behavior you see.

regards

Herbert

0 Helpful
Customers Also Viewed These Support Documents