04-24-2013 02:18 AM - edited 02-21-2020 06:50 PM
Hello All
I would be extremely grateful to have you advice on the following.
I have already setup an IPSec tunnel which had to be VRF-aware because of how the setup is to break out to the ISP provider. However, the traffic I need to route over this tunnel includes some IP addresses which are in the Global Routing Table and hence I cannot put them into a VRF.
I am new to VPN and would be thankful if someone can advice some document I can refer to for this - or any insight as to how this can be approached.
Any help will be much appreciated.
Look forward to your response.
Many Thanks
Solved! Go to Solution.
04-24-2013 12:47 PM
One thing that comes to my mind is to create VTY tunnel between beers for transiting nonvrf traffic. So the tunnel interface itself will be a part of the default routing table.
interface Tunnel200
ip address x.x.x.x
tunnel source fa0/1.100
tunnel destination 10.1.1.2
tunnel mode ipsec ipv4
tunnel vrf inet
tunnel protection ipsec profile PROFILENAME
There's a command that could be added, to set the tunnel interface into specific vrf:
ip vrf forwarding some-vrf
wich doesn't allow explicitly put tunnel interface into global table, but probably,
without this string the interface will belong to the default RT.
I never did so, so can't be 100% sure it'll work.
04-25-2013 02:42 AM
Hello Kaushik,
Add these command:
RTR A
tunnel 11
tunnel vrf inet
RTR B
tunnel 11
tunnel vrf inet
Best Regards
Please rate all helpful posts and close solved questions
04-24-2013 08:21 AM
Can anybody advice me on this please?
04-24-2013 09:04 AM
Hello Kaushik,
Can you provide little bit more details?
- configuration of IPsec tunnels
- what protocol do you use to route traffic
- how many routes you need to route across IPsec tunnel
Best Regards
Please rate all helpful posts and close solved questions
04-24-2013 09:33 AM
thank you for your reply: my current configuration is as follow:
I have temporarily connected the two routers back to back and am using Loopbacks to simulate LANs for testing purposes:
I need to only transfer this LAN on IP address across for management.
the configs i have created are as follow:
Router A
!
interface Loopback10
ip vrf forwarding inet
ip address 1.1.1.1 255.255.255.255
!
!
interface Loopback11
ip address 192.168.1.1 255.255.255.255
!
!
crypto keyring CRYPTO_KEYRING_inet vrf inet
pre-shared-key address 10.1.1.2 key ABCD
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp profile CRYPTO_PROFILE_inet
vrf inet
keyring CRYPTO_KEYRING_inet
match identity address 10.1.1.2 255.255.255.255 inet
!
!
crypto ipsec transform-set CRYPTO_TRANSFORM_inet esp-3des esp-sha-hmac
!
crypto map CRYPTO_MAP_inet 15 ipsec-isakmp
set peer 10.1.1.2
set security-association lifetime seconds 14400
set transform-set CRYPTO_TRANSFORM_inet
set isakmp-profile CRYPTO_PROFILE_inet
match address inet-VPN-OUT.acl
!
!
interface Loopback10
ip vrf forwarding inet
ip address 1.1.1.1 255.255.255.255
!
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip vrf forwarding inet
ip address 10.1.1.1 255.255.255.252
crypto map CRYPTO_MAP_inet
!
ip route vrf inet 0.0.0.0 0.0.0.0 10.1.1.2
!
ip access-list extended inet-VPN-OUT.acl
permit ip host 1.1.1.1 host 2.2.2.2
!
RTR-A#ping vrf inet 2.2.2.2 so lo10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
RTR-A# sh cry session
Crypto session current status
Interface: FastEthernet0/0.100
Profile: CRYPTO_PROFILE_inet
Session status: UP-ACTIVE
Peer: 10.1.1.2 port 500
IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active
IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.2
Active SAs: 2, origin: crypto map
RTR-A#
RTR B
crypto keyring CRYPTO_KEYRING_inet vrf inet
pre-shared-key address 10.1.1.1 key ABCD
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp profile CRYPTO_PROFILE_inet
vrf inet
keyring CRYPTO_KEYRING_inet
match identity address 10.1.1.1 255.255.255.255 inet
crypto ipsec transform-set CRYPTO_TRANSFORM_inet esp-3des esp-sha-hmac
crypto map CRYPTO_MAP_inet 15 ipsec-isakmp
set peer 10.1.1.1
set security-association lifetime seconds 14400
set transform-set CRYPTO_TRANSFORM_inet
set isakmp-profile CRYPTO_PROFILE_inet
match address inet-VPN-OUT.acl
!
!
interface Loopback10
ip vrf forwarding inet
ip address 2.2.2.2 255.255.255.255
!
!
interface Loopback11
ip address 192.168.2.1 255.255.255.255
!
!
interface FastEthernet0/1.100
encapsulation dot1Q 100
ip vrf forwarding inet
ip address 10.1.1.2 255.255.255.252
crypto map CRYPTO_MAP_inet
!
ip route vrf inet 0.0.0.0 0.0.0.0 10.1.1.1
ip access-list extended inet-VPN-OUT.acl
permit ip host 2.2.2.2 host 1.1.1.1
!
I need to find a way to create a tunnel which will allow lo11s at the two ends to be able to ping each other.
04-24-2013 12:06 PM
I don't know if this is exactly what you need, but below is how i made it work in gns. Basically what i did, is just made another tunnel between peers for not-vrf traffic, i.e:
1. Put outside interface in the global routing table
2. Created another isakmp profile, so the traffic between subnets wich are not part of any vrf (your loopback 11) will match it and be forwarded using global routing table
3. Added corresponding crypto-map sequence and proxy-acl.
4. Added some routes.
Here's the config (unrelated strings omitted):
R1#sh run
Building configuration...
!
version 12.4
hostname R1
!
ip cef
!
ip vrf inet
!
crypto keyring CRYPTO_KEYRING_inet
pre-shared-key address 10.1.1.1 key ABCD
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp profile CRYPTO_PROFILE_inet
vrf inet
keyring CRYPTO_KEYRING_inet
match identity address 10.1.1.1 255.255.255.255
crypto isakmp profile CRYPTO_PROFILE_GLOBAL
keyring CRYPTO_KEYRING_inet
match identity address 10.1.1.1 255.255.255.255
!
!
crypto ipsec transform-set CRYPTO_TRANSFORM_inet esp-3des esp-sha-hmac
!
!
crypto map CRYPTO_MAP_inet 15 ipsec-isakmp
set peer 10.1.1.1
set security-association lifetime seconds 14400
set transform-set CRYPTO_TRANSFORM_inet
set isakmp-profile CRYPTO_PROFILE_inet
match address inet-VPN-OUT.acl
crypto map CRYPTO_MAP_inet 20 ipsec-isakmp
set peer 10.1.1.1
set transform-set CRYPTO_TRANSFORM_inet
set isakmp-profile CRYPTO_PROFILE_GLOBAL
match address GLOBAL_VPN
!
!
interface Loopback10
ip vrf forwarding inet
ip address 2.2.2.2 255.255.255.255
!
interface Loopback11
ip address 192.168.2.1 255.255.255.255
!
interface FastEthernet0/0 /////the interface is part of the global routing table, so there's no fvrf needed.
ip address 10.1.1.2 255.255.255.252
duplex auto
speed auto
crypto map CRYPTO_MAP_inet
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route vrf inet 0.0.0.0 0.0.0.0 10.1.1.1 global
!
!
no ip http server
no ip http secure-server
!
ip access-list extended GLOBAL_VPN
permit ip host 192.168.2.1 host 192.168.1.1
ip access-list extended inet-VPN-OUT.acl
permit ip host 2.2.2.2 host 1.1.1.1
!
!
end
R2#sh run
version 12.4
hostname R2
ip cef
ip vrf inet
!
crypto keyring CRYPTO_KEYRING_inet
pre-shared-key address 10.1.1.2 key ABCD
pre-shared-key hostname global.com key cisco
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp profile CRYPTO_PROFILE_inet
vrf inet
keyring CRYPTO_KEYRING_inet
match identity address 10.1.1.2 255.255.255.255
crypto isakmp profile CRYPTO_PROFILE_GLOBAL
keyring CRYPTO_KEYRING_inet
match identity address 10.1.1.2 255.255.255.255
!
!
crypto ipsec transform-set CRYPTO_TRANSFORM_inet esp-3des esp-sha-hmac
!
crypto map CRYPTO_MAP_inet 15 ipsec-isakmp
set peer 10.1.1.2
set security-association lifetime seconds 14400
set transform-set CRYPTO_TRANSFORM_inet
set isakmp-profile CRYPTO_PROFILE_inet
match address inet-VPN-OUT.acl
crypto map CRYPTO_MAP_inet 20 ipsec-isakmp
set peer 10.1.1.2
set transform-set CRYPTO_TRANSFORM_inet
set isakmp-profile CRYPTO_PROFILE_GLOBAL
match address GLOBAL_VPN
!
!
interface Loopback10
ip vrf forwarding inet
ip address 1.1.1.1 255.255.255.255
!
interface Loopback11
ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
duplex auto
speed auto
crypto map CRYPTO_MAP_inet
!
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip route vrf inet 0.0.0.0 0.0.0.0 10.1.1.2 global
!
!
ip access-list extended GLOBAL_VPN
permit ip host 192.168.1.1 host 192.168.2.1
ip access-list extended inet-VPN-OUT.acl
permit ip host 1.1.1.1 host 2.2.2.2
!
!
end
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.1.1 10.1.1.2 QM_IDLE 1005 0 ACTIVE CRYPTO_PROFILE_GLOBAL
10.1.1.1 10.1.1.2 QM_IDLE 1004 0 ACTIVE CRYPTO_PROFILE_inet
R2#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation
Interface: FastEthernet0/0
Profile: CRYPTO_PROFILE_inet
Uptime: 00:55:20
Session status: UP-ACTIVE
Peer: 10.1.1.2 port 500 fvrf: (none) ivrf: inet
Phase1_id: 10.1.1.2
Desc: (none)
IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active
Capabilities:(none) connid:1004 lifetime:23:04:38
IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.2
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 19 drop 0 life (KB/Sec) 4469103/11079
Outbound: #pkts enc'ed 19 drop 0 life (KB/Sec) 4469103/11079
Interface: FastEthernet0/0
Profile: CRYPTO_PROFILE_GLOBAL
Uptime: 00:55:20
Session status: UP-ACTIVE
Peer: 10.1.1.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.1.1.2
Desc: (none)
IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active
Capabilities:(none) connid:1005 lifetime:23:45:01
IPSEC FLOW: permit ip host 192.168.1.1 host 192.168.2.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 14 drop 0 life (KB/Sec) 4478471/2701
Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec)
04-24-2013 12:12 PM
Thanks a lot Andrew for your reply. but the interfaces fa 0/0 you said do not need to be in the vrf; in my setup it has to in the vrf because the real interface for the network breaksout out to the internet in a vrf so i cannot remove the vrf from the actual interface; can that be overcome somehow?
thanks again for looking at the setup
04-24-2013 12:47 PM
One thing that comes to my mind is to create VTY tunnel between beers for transiting nonvrf traffic. So the tunnel interface itself will be a part of the default routing table.
interface Tunnel200
ip address x.x.x.x
tunnel source fa0/1.100
tunnel destination 10.1.1.2
tunnel mode ipsec ipv4
tunnel vrf inet
tunnel protection ipsec profile PROFILENAME
There's a command that could be added, to set the tunnel interface into specific vrf:
ip vrf forwarding some-vrf
wich doesn't allow explicitly put tunnel interface into global table, but probably,
without this string the interface will belong to the default RT.
I never did so, so can't be 100% sure it'll work.
04-25-2013 02:32 AM
I tried to create a Tunnnel as follow but the Tunnel stays up / down:
RTR A
!
interface Tunnel11
ip address 172.168.1.1 255.255.255.252
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
!
ip route 0.0.0.0 0.0.0.0 172.168.1.2
RTR B
!
interface Tunnel11
ip address 172.168.1.2 255.255.255.252
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
!
ip route 0.0.0.0 0.0.0.0 172.168.1.1
04-25-2013 02:42 AM
Hello Kaushik,
Add these command:
RTR A
tunnel 11
tunnel vrf inet
RTR B
tunnel 11
tunnel vrf inet
Best Regards
Please rate all helpful posts and close solved questions
04-25-2013 03:03 AM
it worked thanks a lot!!!!
RTR-A#ping 192.168.2.1 so lo11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
RTR-A#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide