cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1543
Views
10
Helpful
9
Replies

Routing of Global IP addresses over a VRF-aware IPSec

Kaushik Ray
Level 1
Level 1

Hello All

I would be extremely grateful to have you advice on the following.

I have already setup an IPSec tunnel which had to be VRF-aware because of how the setup is to break out to the ISP provider. However, the traffic I need to route over this tunnel includes some IP addresses which are in the Global Routing Table and hence I cannot put them into a VRF. 

I am new to VPN and would be thankful if someone can advice some document I can refer to for this - or any insight as to how this can be approached.

Any help will be much appreciated.

Look forward to your response.

Many Thanks

2 Accepted Solutions

Accepted Solutions

One thing that comes to my mind is to create VTY tunnel between beers for transiting nonvrf traffic. So the tunnel interface itself will be a part of the default routing table.

interface Tunnel200
ip address x.x.x.x
tunnel source fa0/1.100
tunnel destination 10.1.1.2
tunnel mode ipsec ipv4
tunnel vrf inet
tunnel protection ipsec profile PROFILENAME

There's a command that could be added, to set the tunnel interface into specific vrf:
ip vrf forwarding some-vrf
wich doesn't allow explicitly put tunnel interface into global table, but probably,
without this string the interface will belong to the default RT.

I never did so, so can't be 100% sure it'll work.

View solution in original post

Hello Kaushik,

Add these command:

RTR A

tunnel 11

tunnel vrf inet

RTR B

tunnel 11

tunnel vrf inet

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

View solution in original post

9 Replies 9

Kaushik Ray
Level 1
Level 1

Can anybody advice me on this please?

Hello Kaushik,

Can you provide little bit more details?

- configuration of IPsec tunnels

- what protocol do you use to route traffic

- how many routes you need to route across IPsec tunnel

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

thank you for your reply: my current configuration is as follow:

I have temporarily connected the two routers back to back and am using Loopbacks to simulate LANs for testing purposes:

I need to only transfer this LAN on IP address across for management.

the configs i have created are as follow:

Router A

!

interface Loopback10

ip vrf forwarding inet

ip address 1.1.1.1 255.255.255.255

!

!

interface Loopback11

ip address 192.168.1.1 255.255.255.255

!

!

crypto keyring CRYPTO_KEYRING_inet vrf inet

  pre-shared-key address 10.1.1.2 key ABCD

!

crypto isakmp policy 15

encr 3des

authentication pre-share

group 2

crypto isakmp profile CRYPTO_PROFILE_inet

   vrf inet

   keyring CRYPTO_KEYRING_inet

   match identity address 10.1.1.2 255.255.255.255 inet

!

!

crypto ipsec transform-set CRYPTO_TRANSFORM_inet esp-3des esp-sha-hmac

!

crypto map CRYPTO_MAP_inet 15 ipsec-isakmp

set peer 10.1.1.2

set security-association lifetime seconds 14400

set transform-set CRYPTO_TRANSFORM_inet

set isakmp-profile CRYPTO_PROFILE_inet

match address inet-VPN-OUT.acl

!

!

interface Loopback10

ip vrf forwarding inet

ip address 1.1.1.1 255.255.255.255

!

!

interface FastEthernet0/0.100

encapsulation dot1Q 100

ip vrf forwarding inet

ip address 10.1.1.1 255.255.255.252

crypto map CRYPTO_MAP_inet

!

ip route vrf inet 0.0.0.0 0.0.0.0 10.1.1.2

!

ip access-list extended inet-VPN-OUT.acl

permit ip host 1.1.1.1 host 2.2.2.2

!

RTR-A#ping vrf inet 2.2.2.2 so lo10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

RTR-A# sh cry session

Crypto session current status

Interface: FastEthernet0/0.100

Profile: CRYPTO_PROFILE_inet

Session status: UP-ACTIVE

Peer: 10.1.1.2 port 500

  IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active

  IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.2

        Active SAs: 2, origin: crypto map

RTR-A#

RTR B

crypto keyring CRYPTO_KEYRING_inet vrf inet

  pre-shared-key address 10.1.1.1 key ABCD

!

crypto isakmp policy 15

encr 3des

authentication pre-share

group 2

crypto isakmp profile CRYPTO_PROFILE_inet

   vrf inet

   keyring CRYPTO_KEYRING_inet

   match identity address 10.1.1.1 255.255.255.255 inet

crypto ipsec transform-set CRYPTO_TRANSFORM_inet esp-3des esp-sha-hmac

crypto map CRYPTO_MAP_inet 15 ipsec-isakmp

set peer 10.1.1.1

set security-association lifetime seconds 14400

set transform-set CRYPTO_TRANSFORM_inet

set isakmp-profile CRYPTO_PROFILE_inet

match address inet-VPN-OUT.acl

!

!

interface Loopback10

ip vrf forwarding inet

ip address 2.2.2.2 255.255.255.255

!

!

interface Loopback11

ip address 192.168.2.1 255.255.255.255

!

!

interface FastEthernet0/1.100

encapsulation dot1Q 100

ip vrf forwarding inet

ip address 10.1.1.2 255.255.255.252

crypto map CRYPTO_MAP_inet

!

ip route vrf inet 0.0.0.0 0.0.0.0 10.1.1.1

ip access-list extended inet-VPN-OUT.acl

permit ip host 2.2.2.2 host 1.1.1.1

!

I need to find a way to create a tunnel which will allow lo11s at the two ends to be able to ping each other.

I don't know if this is exactly what you need, but below is how i made it work in gns. Basically what i did, is just made another tunnel between peers for not-vrf traffic, i.e:

1. Put outside interface in the global routing table

2. Created another isakmp profile, so the traffic between subnets wich are not part of any vrf (your loopback 11) will match it and be forwarded using global routing table

3. Added corresponding crypto-map sequence and proxy-acl.

4. Added some routes.

Here's the config (unrelated strings omitted):

R1#sh run

Building configuration...

!

version 12.4

hostname R1

!

ip cef

!

ip vrf inet

!

crypto keyring CRYPTO_KEYRING_inet

  pre-shared-key address 10.1.1.1 key ABCD

!

crypto isakmp policy 15

encr 3des

authentication pre-share

group 2

crypto isakmp profile CRYPTO_PROFILE_inet

   vrf inet

   keyring CRYPTO_KEYRING_inet

   match identity address 10.1.1.1 255.255.255.255

crypto isakmp profile CRYPTO_PROFILE_GLOBAL

   keyring CRYPTO_KEYRING_inet

   match identity address 10.1.1.1 255.255.255.255

!

!

crypto ipsec transform-set CRYPTO_TRANSFORM_inet esp-3des esp-sha-hmac

!

!

crypto map CRYPTO_MAP_inet 15 ipsec-isakmp

set peer 10.1.1.1

set security-association lifetime seconds 14400

set transform-set CRYPTO_TRANSFORM_inet

set isakmp-profile CRYPTO_PROFILE_inet

match address inet-VPN-OUT.acl

crypto map CRYPTO_MAP_inet 20 ipsec-isakmp

set peer 10.1.1.1

set transform-set CRYPTO_TRANSFORM_inet

set isakmp-profile CRYPTO_PROFILE_GLOBAL

match address GLOBAL_VPN

!

!

interface Loopback10

ip vrf forwarding inet

ip address 2.2.2.2 255.255.255.255

!

interface Loopback11

ip address 192.168.2.1 255.255.255.255

!

interface FastEthernet0/0  /////the interface is part of the global routing table, so there's no fvrf needed.

ip address 10.1.1.2 255.255.255.252

duplex auto

speed auto

crypto map CRYPTO_MAP_inet

!

ip route 0.0.0.0 0.0.0.0 10.1.1.1

ip route vrf inet 0.0.0.0 0.0.0.0 10.1.1.1 global

!

!

no ip http server

no ip http secure-server

!

ip access-list extended GLOBAL_VPN

permit ip host 192.168.2.1 host 192.168.1.1

ip access-list extended inet-VPN-OUT.acl

permit ip host 2.2.2.2 host 1.1.1.1

!

!

end

R2#sh run

version 12.4

hostname R2

ip cef

ip vrf inet

!

crypto keyring CRYPTO_KEYRING_inet

  pre-shared-key address 10.1.1.2 key ABCD

  pre-shared-key hostname global.com key cisco

!

crypto isakmp policy 15

encr 3des

authentication pre-share

group 2

crypto isakmp profile CRYPTO_PROFILE_inet

   vrf inet

   keyring CRYPTO_KEYRING_inet

   match identity address 10.1.1.2 255.255.255.255

crypto isakmp profile CRYPTO_PROFILE_GLOBAL

   keyring CRYPTO_KEYRING_inet

   match identity address 10.1.1.2 255.255.255.255

!

!

crypto ipsec transform-set CRYPTO_TRANSFORM_inet esp-3des esp-sha-hmac

!

crypto map CRYPTO_MAP_inet 15 ipsec-isakmp

set peer 10.1.1.2

set security-association lifetime seconds 14400

set transform-set CRYPTO_TRANSFORM_inet

set isakmp-profile CRYPTO_PROFILE_inet

match address inet-VPN-OUT.acl

crypto map CRYPTO_MAP_inet 20 ipsec-isakmp

set peer 10.1.1.2

set transform-set CRYPTO_TRANSFORM_inet

set isakmp-profile CRYPTO_PROFILE_GLOBAL

match address GLOBAL_VPN

!

!

interface Loopback10

ip vrf forwarding inet

ip address 1.1.1.1 255.255.255.255

!

interface Loopback11

ip address 192.168.1.1 255.255.255.255

!

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.252

duplex auto

speed auto

crypto map CRYPTO_MAP_inet

!

!

ip route 0.0.0.0 0.0.0.0 10.1.1.2

ip route vrf inet 0.0.0.0 0.0.0.0 10.1.1.2 global

!

!

ip access-list extended GLOBAL_VPN

permit ip host 192.168.1.1 host 192.168.2.1

ip access-list extended inet-VPN-OUT.acl

permit ip host 1.1.1.1 host 2.2.2.2

!

!

end

R2#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.1.1.1        10.1.1.2        QM_IDLE           1005    0 ACTIVE CRYPTO_PROFILE_GLOBAL

10.1.1.1        10.1.1.2        QM_IDLE           1004    0 ACTIVE CRYPTO_PROFILE_inet

R2#sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

F - IKE Fragmentation

Interface: FastEthernet0/0

Profile: CRYPTO_PROFILE_inet

Uptime: 00:55:20

Session status: UP-ACTIVE

Peer: 10.1.1.2 port 500 fvrf: (none) ivrf: inet

      Phase1_id: 10.1.1.2

      Desc: (none)

  IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active

          Capabilities:(none) connid:1004 lifetime:23:04:38

  IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.2

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 19 drop 0 life (KB/Sec) 4469103/11079

        Outbound: #pkts enc'ed 19 drop 0 life (KB/Sec) 4469103/11079

Interface: FastEthernet0/0

Profile: CRYPTO_PROFILE_GLOBAL

Uptime: 00:55:20

Session status: UP-ACTIVE

Peer: 10.1.1.2 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 10.1.1.2

      Desc: (none)

  IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active

          Capabilities:(none) connid:1005 lifetime:23:45:01

  IPSEC FLOW: permit ip host 192.168.1.1 host 192.168.2.1

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 14 drop 0 life (KB/Sec) 4478471/2701

        Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec)

Thanks a lot Andrew for your reply. but the interfaces fa 0/0 you said do not need to be in the vrf; in my setup it has to in the vrf because the real interface for the network breaksout out to the internet in a vrf so i cannot remove the vrf from the actual interface; can that be overcome somehow?

thanks again for looking at the setup

One thing that comes to my mind is to create VTY tunnel between beers for transiting nonvrf traffic. So the tunnel interface itself will be a part of the default routing table.

interface Tunnel200
ip address x.x.x.x
tunnel source fa0/1.100
tunnel destination 10.1.1.2
tunnel mode ipsec ipv4
tunnel vrf inet
tunnel protection ipsec profile PROFILENAME

There's a command that could be added, to set the tunnel interface into specific vrf:
ip vrf forwarding some-vrf
wich doesn't allow explicitly put tunnel interface into global table, but probably,
without this string the interface will belong to the default RT.

I never did so, so can't be 100% sure it'll work.

I tried to create a Tunnnel as follow but the Tunnel stays up / down:

RTR A

!

interface Tunnel11

ip address 172.168.1.1 255.255.255.252

tunnel source 1.1.1.1

tunnel destination 2.2.2.2

!

ip route 0.0.0.0 0.0.0.0 172.168.1.2

RTR B

!

interface Tunnel11

ip address 172.168.1.2 255.255.255.252

tunnel source 2.2.2.2

tunnel destination 1.1.1.1

!

ip route 0.0.0.0 0.0.0.0 172.168.1.1

Hello Kaushik,

Add these command:

RTR A

tunnel 11

tunnel vrf inet

RTR B

tunnel 11

tunnel vrf inet

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

it worked thanks a lot!!!!

RTR-A#ping 192.168.2.1 so lo11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

RTR-A#