Solved: This issue was caused by VRF

blau grana · ‎05-13-2014

Hi All,

I am trying to configure static IPsec tunnel between two routers. Router R1 has only global routing table [no VRF].

Router R2 has two routing tables:

* vrf INET - used for internet connectivity

* global routing table - used for VPN routes

Here are basic configs:

R1

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set TRSET_AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile TUNNEL-IPSEC-PROTEC
set transform-set TRSET_AES-256_SHA
!
interface Loopback0
ip address 10.0.1.1 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel0
ip address 192.168.255.34 255.255.255.252
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel destination 203.0.0.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
interface FastEthernet0/0
ip address 102.0.0.1 255.255.255.0

!

ip route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

#######################################################

R2

ip vrf INET
rd 1:1
!
crypto keyring test vrf INET
pre-shared-key address 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp profile test
keyring test
match identity address 102.0.0.1 255.255.255.255
!
crypto ipsec transform-set TRSET_AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile TUNNEL-IPSEC-PROTEC
set transform-set TRSET_AES-256_SHA
set isakmp-profile test
!
interface Loopback0
ip address 10.0.2.2 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel0
ip address 192.168.255.33 255.255.255.252
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel destination 102.0.0.1
tunnel mode ipsec ipv4
tunnel vrf INET
tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
interface FastEthernet0/0
ip vrf forwarding INET
ip address 203.0.0.3 255.255.255.0

!

ip route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

#######################################################

There is one router between R1 and R2, it is used only for connectivity:

interface FastEthernet0/0
ip address 102.0.0.2 255.255.255.0
!
interface FastEthernet0/1
ip address 203.0.0.2 255.255.255.0

The problem that tunnel is not comming UP, I can not pass through phase I.

IPsec VPNs are not my strength. So if someone could show me what mistake am I doing, I would really appreciate that.

I attached ouptup of #debug crypto isakmp from R2

Best Regards Please rate all helpful posts and close solved questions

David_Che · ‎05-13-2014

As tunnel0 source and destination is belong to VRF INET, the static route need to be updated.

ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

crypto isakmp profile test

vrf INET

keyring test
match identity address 102.0.0.1 255.255.255.255

View solution in original post

Jan Rolny · ‎05-13-2014

Hi,

ragarding your configuration I don't see part of crypto map configuration. Also i don't see crypto map applied on interface and you have probably access-list missing which specifies traffic whic should go through tunnel.

Please check this nice tutorial how-to configura IPSEC tunnel between two routers.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

Regards,

Jan

David_Che · ‎05-13-2014

This is SVTI (Static Virtual Template Interface) protected by IPsec in transport mode and no need to configure crypto-map and traffic selector.

David_Che · ‎05-13-2014

I encounter this issue in my lab, This issue was caused by VRF related mis-configuration.

interface Tunnel0

ip vrf forwarding INET
ip address 192.168.255.33 255.255.255.252
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel destination 102.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC

!
ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

if those configuration does not work, please check isakmp vrf related configuration.

blau grana · ‎05-13-2014

Hi David,

Thanks for replay but I need interface Tunnel0 to be in global routing table. Source and Destination endpoints of tunnel are in vrf INET.

Best Regards Please rate all helpful posts and close solved questions

David_Che · ‎05-13-2014

As tunnel0 source and destination is belong to VRF INET, the static route need to be updated.

ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

crypto isakmp profile test

vrf INET

keyring test
match identity address 102.0.0.1 255.255.255.255

blau grana · ‎05-13-2014

You are right David, I missed static route in VRF INET.

And vrf INET under isakmp profile solved the issue with ipsec.

Thanks a lot for help!

Best Regards Please rate all helpful posts and close solved questions

David_Che · ‎05-13-2014

It is my pleasure and honor to know the solution can help.

Regards,

David

Static IPsec tunnel between two cisco routers [VRF aware]