Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4184
Views
0
Helpful
3
Replies

VRF aware ipsec + ikev2 + static routes

Go to solution
VILLE LEINONEN
Level 1
Level 1

‎08-02-2018 04:08 AM - edited ‎02-21-2020 09:25 PM

Hi all,

 

I have a little problem in my setup. For some reason routing back to the other site is not working. I can see and capture that packets are coming in and reply is sent, but it other site server never receive those packets. I think my routing is somehow broken. Bellow is my configuration.

 

Br,

 

Ville

 

-------

ip vrf Azure

description Azure vpn

!

crypto ikev2 proposal Solodel-S2S-Route-proposal

encryption aes-cbc-256

integrity sha1

group 2

!

crypto ikev2 policy Solodel-S2S-Route-policy

match address local 83.zzz.yyy.xxx

proposal Solodel-S2S-Route-proposal

!

crypto ikev2 keyring Solodel-S2S-Route-keyring

peer 40.zzz.yyy.xxx

  address 40.zzz.yyy.xxx

  pre-shared-key acme

!

crypto ikev2 profile Solodel-S2S-Route-profile

match address local 83.zzz.yyy.xxx

match identity remote address 40.zzz.yyy.xxx 255.255.255.255

authentication remote pre-share

authentication local pre-share

keyring local Solodel-S2S-Route-keyring

lifetime 3600

dpd 10 5 on-demand

ivrf Azure

!

crypto ipsec transform-set Solodel-S2S-Route-TransformSet esp-gcm 256

mode tunnel

!         

crypto ipsec profile Solodel-S2S-Route-IPsecProfile

set transform-set Solodel-S2S-Route-TransformSet

set ikev2-profile Solodel-S2S-Route-profile

!

interface Loopback11

ip vrf forwarding Azure

ip address 10.10.10.1 255.255.255.0

!

interface Tunnel11

ip vrf forwarding Azure

ip address 169.254.0.1 255.255.255.255

ip tcp adjust-mss 1350

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination 40.zzz.yyy.xxx

tunnel protection ipsec profile Solodel-S2S-Route-IPsecProfile

!

interface GigabitEthernet0

description toInternet

ip address 83.zzz.yyy.xxx 255.255.255.248

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 83.zzz.yyy.xxx

ip route vrf Azure 10.7.6.0 255.255.254.0 Tunnel11

-------

"sh cry ips sa" says:

 

interface: Tunnel11

    Crypto map tag: Tunnel11-head-0, local addr 83.zzz.yyy.xxx

 

   protected vrf: Azure

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 40.zzz.yyy.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 2516, #pkts decrypt: 2516, #pkts verify: 2516

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

          

     local crypto endpt.: 83.zzz.yyy.xxx, remote crypto endpt.: 40.zzz.yyy.xxx

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0

     current outbound spi: 0x588A5216(1485459990)

     PFS (Y/N): N, DH group: none

          

     inbound esp sas:

      spi: 0x32AE90C(53143820)

        transform: esp-gcm 256 ,

        in use settings ={Tunnel, }

        conn id: 1056, flow_id: SW:56, sibling_flags 80000040, crypto map: Tunnel11-head-0

        sa timing: remaining key lifetime (k/sec): (4265399/2937)

        IV size: 8 bytes

        replay detection support: N

        Status: ACTIVE(ACTIVE)

          

     inbound ah sas:

          

     inbound pcp sas:

          

     outbound esp sas:

      spi: 0x588A5216(1485459990)

        transform: esp-gcm 256 ,

        in use settings ={Tunnel, }

        conn id: 1055, flow_id: SW:55, sibling_flags 80000040, crypto map: Tunnel11-head-0

        sa timing: remaining key lifetime (k/sec): (4265400/2937)

        IV size: 8 bytes

        replay detection support: N

        Status: ACTIVE(ACTIVE)

          

     outbound ah sas:

          

     outbound pcp sas:

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
VILLE LEINONEN
Level 1
Level 1
In response to VILLE LEINONEN

‎08-13-2018 04:39 AM

Solution was to remove ivrf Azure in crypto ikev2 profile Solodel-S2S-Route-profile.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎08-02-2018 06:39 AM

how have you configured interesting traffic on the other end?

 

as far as I know they need to be the same at both ends for the tunnel to work

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
VILLE LEINONEN
Level 1
Level 1
In response to Dennis Mink

‎08-02-2018 07:17 AM

Thank you for reply. Other side is Azure, so there is not much to do (and also no debug). Only thing what is in Azure side is that Cisco side address space is 10.10.10.0/255.255.255.0 Anyway traffic is working without VRF and I can ping that loopback address from server and Cisco loopback address can ping server, but when I add VRF in my config then traffic stops.

 

Br,

 

Ville

0 Helpful

Go to solution
VILLE LEINONEN
Level 1
Level 1
In response to VILLE LEINONEN

‎08-13-2018 04:39 AM

Solution was to remove ivrf Azure in crypto ikev2 profile Solodel-S2S-Route-profile.
0 Helpful
Customers Also Viewed These Support Documents