Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1075
Views
0
Helpful
3
Replies

VRF Aware IPSEC Tunnel

Go to solution
fhoban
Level 1
Level 1

‎01-12-2016 04:23 PM - edited ‎02-21-2020 08:37 PM

Hi All,

I have an internet facing router that I need to run vrf aware ipsec. I will have primary and secondary tunnels to remote end. I will be using public ip addresses on the loopbacks to source traffic .They will be peering BGP over the tunnels. Please advise on attached configs. I don't have the option to run VTI currently with the remote client.

Thanks in Advance

Labels:
Preview file
3 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-12-2016 05:03 PM

You are using pre-shared keys based on IP addresses, so get rid of:

crypto isakmp identity hostname

You don't need to use lookback's.  You can make the tunnel source the outside IP address (in the "internet" vrf).  Then just add a "tunnel key x" on each tunnel, where "x" uniquely identifies the tunnel.

View solution in original post

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to fhoban

‎01-14-2016 12:43 PM

Yes to adding in sequentially numbered access lists.

Probably not for isakmp profile.  Just add more keys to your keyring, and more "match" clauses.

Yes to using unique tunnel keys.

Try and move to VTI as soon as you can.  Much less time involved setting up and supporting it.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-12-2016 05:03 PM

You are using pre-shared keys based on IP addresses, so get rid of:

crypto isakmp identity hostname

You don't need to use lookback's.  You can make the tunnel source the outside IP address (in the "internet" vrf).  Then just add a "tunnel key x" on each tunnel, where "x" uniquely identifies the tunnel.

0 Helpful

Go to solution
fhoban
Level 1
Level 1
In response to Philip D'Ath

‎01-14-2016 08:34 AM

Thanks Phillip. And if you want to scale up for multiple connections/ipsec terminations if you have a crypto map on the outside interface you can just keep adding multiple crypto maps with sequential numbering. Then you'd need to build out seperate isakmp profiles and you could also add tunnel keys per tunnel ?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to fhoban

‎01-14-2016 12:43 PM

Yes to adding in sequentially numbered access lists.

Probably not for isakmp profile.  Just add more keys to your keyring, and more "match" clauses.

Yes to using unique tunnel keys.

Try and move to VTI as soon as you can.  Much less time involved setting up and supporting it.

0 Helpful
Customers Also Viewed These Support Documents