Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1062
Views
0
Helpful
1
Replies

Trouble with VRF-Aware IPSEC tunnels

jbartoldus
Level 1
Level 1

‎04-11-2011 12:13 PM - edited ‎02-21-2020 05:17 PM

Trying to migrate to VRF Aware IPSEC tunnels from single global instance.  Desire is to keep the mgmt interface on the Main Site and put the inside and outside interfaces into a single VRF instance to separate mgmt traffic.  For example, traffic from remote site to 10.1.1.2 we want to follow Inside interface, but traffic to 10.1.1.2 originating from the main site router should go out the mgmt interface.  See existing config (that works) and new VRF aware config, where I can't seem to get IPSEC tunnel to establish.  Any idea what is missing?

Remote site config (current and stays the same after main site changes)...

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key akey1 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 15 periodic
!
!
crypto ipsec transform-set TRANSSET esp-aes esp-sha-hmac
!
crypto map OLDMAP local-address GigabitEthernet0/1
crypto map OLDMAP 10 ipsec-isakmp
set peer 10.10.10.6 default
set transform-set TRANSSET
match address LOCAL_NETS
!
interface Loopback0
ip address 10.255.10.10 255.255.255.255
no ip redirects
!
interface GigabitEthernet0/0
description ** Local Data VLAN **
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
description ** Outside Connection **
ip address 10.10.10.5 255.255.255.252
crypto map OLDMAP
!
ip route 0.0.0.0 0.0.0.0 10.10.10.6 name To_VPN
!
ip access-list extended LOCAL_NETS
permit ip host 10.255.10.10 any
permit ip 192.168.1.0 0.0.0.255 any

Main site EXISTING config (single global instance - NO VRFs)...

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key akey1 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 15 periodic
crypto isakmp aggressive-mode disable
crypto isakmp xauth timeout 90

!
crypto ipsec transform-set TRANSSET esp-aes esp-sha-hmac
!
crypto dynamic-map DYNAMAP 1
set transform-set TRANSSET
!
!
crypto map MAINMAP local-address GigabitEthernet0/0
crypto map MAINMAP 1 ipsec-isakmp dynamic DYNAMAP

!

interface Loopback0
ip address 10.128.255.31 255.255.255.255
no ip redirects
!
interface Loopback2222
description IPSLA PROBE DESTINATION
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
description ** Outside Connection **
ip address 10.10.10.6 255.255.255.252
crypto map MAINMAP
!
interface GigabitEthernet0/1
description ** Inside Connection **
ip address 192.168.3.1 255.255.255.252
!
interface FastEthernet0/2/0
description *** Mgmt Connection ***
switchport access vlan 20
!
interface FastEthernet0/2/1
shutdown
!
interface FastEthernet0/2/2
shutdown
!
interface FastEthernet0/2/3
shutdown

!

interface Vlan1
no ip address
shutdown
!
interface Vlan20
description *** SIMULATED - Mgmt- Connection to csla-3750b_G1/0/11 ***
ip address 192.168.4.1 255.255.255.252
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.3.2 name To_Anywhere
ip route 10.255.10.10 255.255.255.255 10.10.10.5 name To_Branch_Data
ip route 192.168.1.0 255.255.255.0 10.10.10.5 name To_Branch_Data

ip route 10.1.1.2 255.255.255.255 192.168.4.2 name To_Radius

Main site NEW VRF-Aware config ...


vrf new_vrf

!

crypto keyring NEWVPN
  pre-shared-key address 0.0.0.0 0.0.0.0 key akey1
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp profile NEWVPN
   description *** VRF-aware IPSEC ***

   vrf new_vrf
   keyring NEWVPN
   match identity address 0.0.0.0 new_vrf
   client configuration address respond
   keepalive 30 retry 5
!
!
crypto ipsec transform-set TRANSSET esp-aes esp-sha-hmac
!
crypto dynamic-map DYNAMAP 1
set transform-set TRANSSET
set isakmp-profile NEWVPN
!
!
crypto map MAINMAP local-address GigabitEthernet0/0
crypto map MAINMAP 1 ipsec-isakmp dynamic DYNAMAP

!

interface Loopback0

ip vrf forwarding new_vrf
  ip address 10.128.255.31 255.255.255.255
  no ip redirects
!
interface Loopback2222
  description IPSLA PROBE DESTINATION
  ip vrf forwarding new_vrf
   ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
  description ** Outside Connection **
ip vrf forwarding new_vrf
ip address 10.10.10.6 255.255.255.252
  crypto map MAINMAP
!
interface GigabitEthernet0/1
  description ** Inside Connection **
ip vrf forwarding new_vrf
ip address 192.168.3.1 255.255.255.252
!
interface FastEthernet0/2/0
  description *** Mgmt Connection ***
  switchport access vlan 20
!
interface FastEthernet0/2/1
  shutdown
!
interface FastEthernet0/2/2
  shutdown
!
interface FastEthernet0/2/3
  shutdown

!

interface Vlan1
  no ip address
  shutdown
!
interface Vlan20
  description *** SIMULATED - Mgmt- Connection to csla-3750b_G1/0/11 ***
  ip address 192.168.4.1 255.255.255.252
!
ip forward-protocol nd
ip route vrf new_vrf 0.0.0.0 0.0.0.0 192.168.3.2 name To_Anywhere
ip route vrf new_vrf 10.255.10.10 255.255.255.255 10.10.10.5 name To_Branch_Data
ip route vrf new_vrf 192.168.1.0 255.255.255.0 10.10.10.5 name To_Branch_Data

ip route 0.0.0.0 0.0.0.0 192.168.4.2 name Default_for Global

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-11-2011 01:30 PM

Hi there,

It looks like your keyring is in global VRF rather than in new_vrf.

https://supportforums.cisco.com/docs/DOC-13524

I would suggest to investigate SVTI config rather than this, especially if both sides are IOS.

Marcin

0 Helpful
Customers Also Viewed These Support Documents