05-13-2014 02:07 AM - edited 02-21-2020 07:38 PM
Hi All,
I am trying to configure static IPsec tunnel between two routers. Router R1 has only global routing table [no VRF].
Router R2 has two routing tables:
* vrf INET - used for internet connectivity
* global routing table - used for VPN routes
Here are basic configs:
R1
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set TRSET_AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile TUNNEL-IPSEC-PROTEC
set transform-set TRSET_AES-256_SHA
!
interface Loopback0
ip address 10.0.1.1 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel0
ip address 192.168.255.34 255.255.255.252
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel destination 203.0.0.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
interface FastEthernet0/0
ip address 102.0.0.1 255.255.255.0
!
ip route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2
#######################################################
R2
ip vrf INET
rd 1:1
!
crypto keyring test vrf INET
pre-shared-key address 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp profile test
keyring test
match identity address 102.0.0.1 255.255.255.255
!
crypto ipsec transform-set TRSET_AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile TUNNEL-IPSEC-PROTEC
set transform-set TRSET_AES-256_SHA
set isakmp-profile test
!
interface Loopback0
ip address 10.0.2.2 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel0
ip address 192.168.255.33 255.255.255.252
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel destination 102.0.0.1
tunnel mode ipsec ipv4
tunnel vrf INET
tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
interface FastEthernet0/0
ip vrf forwarding INET
ip address 203.0.0.3 255.255.255.0
!
ip route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2
#######################################################
There is one router between R1 and R2, it is used only for connectivity:
interface FastEthernet0/0
ip address 102.0.0.2 255.255.255.0
!
interface FastEthernet0/1
ip address 203.0.0.2 255.255.255.0
The problem that tunnel is not comming UP, I can not pass through phase I.
IPsec VPNs are not my strength. So if someone could show me what mistake am I doing, I would really appreciate that.
I attached ouptup of #debug crypto isakmp from R2
Solved! Go to Solution.
05-13-2014 05:14 AM
As tunnel0 source and destination is belong to VRF INET, the static route need to be updated.
ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2
crypto isakmp profile test
vrf INET
keyring test
match identity address 102.0.0.1 255.255.255.255