cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1921
Views
3
Helpful
7
Replies

Static IPsec tunnel between two cisco routers [VRF aware]

blau grana
Level 7
Level 7

Hi All,

I am trying to configure static IPsec tunnel between two routers. Router R1 has only global routing table [no VRF].

Router R2 has two routing tables:

* vrf INET - used for internet connectivity

* global routing table - used for VPN routes

 

Here are basic configs:

R1

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set TRSET_AES-256_SHA esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile TUNNEL-IPSEC-PROTEC
 set transform-set TRSET_AES-256_SHA
!
interface Loopback0
 ip address 10.0.1.1 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel0
 ip address 192.168.255.34 255.255.255.252
 ip ospf 1 area 0
 tunnel source FastEthernet0/0
 tunnel destination 203.0.0.3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
interface FastEthernet0/0
 ip address 102.0.0.1 255.255.255.0

!

ip route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

#######################################################

R2

ip vrf INET
 rd 1:1
!
crypto keyring test vrf INET
  pre-shared-key address 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp profile test
   keyring test
   match identity address 102.0.0.1 255.255.255.255
!
crypto ipsec transform-set TRSET_AES-256_SHA esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile TUNNEL-IPSEC-PROTEC
 set transform-set TRSET_AES-256_SHA
 set isakmp-profile test
!
interface Loopback0
 ip address 10.0.2.2 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel0
 ip address 192.168.255.33 255.255.255.252
 ip ospf 1 area 0
 tunnel source FastEthernet0/0
 tunnel destination 102.0.0.1
 tunnel mode ipsec ipv4
 tunnel vrf INET
 tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
interface FastEthernet0/0
 ip vrf forwarding INET
 ip address 203.0.0.3 255.255.255.0

!

ip route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

#######################################################

There is one router between R1 and R2, it is used only for connectivity:

interface FastEthernet0/0
 ip address 102.0.0.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 203.0.0.2 255.255.255.0

 

The problem that tunnel is not comming UP, I can not pass through phase I.

IPsec VPNs are not my strength. So if someone could show me what mistake am I doing, I would really appreciate that.

I attached ouptup of #debug crypto isakmp from R2

Best Regards Please rate all helpful posts and close solved questions
1 Accepted Solution

Accepted Solutions

As tunnel0 source and destination is belong to VRF INET, the static route need to be updated.

ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

crypto isakmp profile test

   vrf INET

   keyring test
   match identity address 102.0.0.1 255.255.255.255

View solution in original post