cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1922
Views
3
Helpful
7
Replies

Static IPsec tunnel between two cisco routers [VRF aware]

blau grana
Level 7
Level 7

Hi All,

I am trying to configure static IPsec tunnel between two routers. Router R1 has only global routing table [no VRF].

Router R2 has two routing tables:

* vrf INET - used for internet connectivity

* global routing table - used for VPN routes

 

Here are basic configs:

R1

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set TRSET_AES-256_SHA esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile TUNNEL-IPSEC-PROTEC
 set transform-set TRSET_AES-256_SHA
!
interface Loopback0
 ip address 10.0.1.1 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel0
 ip address 192.168.255.34 255.255.255.252
 ip ospf 1 area 0
 tunnel source FastEthernet0/0
 tunnel destination 203.0.0.3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
interface FastEthernet0/0
 ip address 102.0.0.1 255.255.255.0

!

ip route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

#######################################################

R2

ip vrf INET
 rd 1:1
!
crypto keyring test vrf INET
  pre-shared-key address 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp profile test
   keyring test
   match identity address 102.0.0.1 255.255.255.255
!
crypto ipsec transform-set TRSET_AES-256_SHA esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile TUNNEL-IPSEC-PROTEC
 set transform-set TRSET_AES-256_SHA
 set isakmp-profile test
!
interface Loopback0
 ip address 10.0.2.2 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel0
 ip address 192.168.255.33 255.255.255.252
 ip ospf 1 area 0
 tunnel source FastEthernet0/0
 tunnel destination 102.0.0.1
 tunnel mode ipsec ipv4
 tunnel vrf INET
 tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
interface FastEthernet0/0
 ip vrf forwarding INET
 ip address 203.0.0.3 255.255.255.0

!

ip route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

#######################################################

There is one router between R1 and R2, it is used only for connectivity:

interface FastEthernet0/0
 ip address 102.0.0.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 203.0.0.2 255.255.255.0

 

The problem that tunnel is not comming UP, I can not pass through phase I.

IPsec VPNs are not my strength. So if someone could show me what mistake am I doing, I would really appreciate that.

I attached ouptup of #debug crypto isakmp from R2

Best Regards Please rate all helpful posts and close solved questions
1 Accepted Solution

Accepted Solutions

As tunnel0 source and destination is belong to VRF INET, the static route need to be updated.

ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

crypto isakmp profile test

   vrf INET

   keyring test
   match identity address 102.0.0.1 255.255.255.255

View solution in original post

7 Replies 7

Jan Rolny
Level 3
Level 3

Hi,

ragarding your configuration I don't see part of crypto map configuration. Also i don't see crypto map applied on interface and you have probably access-list missing which specifies traffic whic should go through tunnel.

 

Please check this nice tutorial how-to configura IPSEC tunnel between two routers.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

Regards,

Jan

This is SVTI (Static Virtual Template Interface) protected by IPsec in transport mode and no need to configure crypto-map and traffic selector.

David_Che
Level 1
Level 1

I encounter this issue in my lab, This issue was caused by VRF related mis-configuration.

interface Tunnel0

 ip vrf forwarding INET
 ip address 192.168.255.33 255.255.255.252
 ip ospf 1 area 0
 tunnel source FastEthernet0/0
 tunnel destination 102.0.0.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC

!
ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

if those configuration does not work, please check isakmp vrf related configuration.

Hi David,

Thanks for replay but I need interface Tunnel0 to be in global routing table. Source and Destination endpoints of tunnel are in vrf INET.

Best Regards Please rate all helpful posts and close solved questions

As tunnel0 source and destination is belong to VRF INET, the static route need to be updated.

ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

crypto isakmp profile test

   vrf INET

   keyring test
   match identity address 102.0.0.1 255.255.255.255

You are right David, I missed static route in VRF INET.

And vrf INET under isakmp profile solved the issue with ipsec.

Thanks a lot for help!

 

Best Regards Please rate all helpful posts and close solved questions

It is my pleasure and honor to know the solution can help.

Regards,

David