cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
593
Views
0
Helpful
3
Replies
Highlighted
Beginner

VRF Aware IPSEC Tunnel

Hi All,

I have an internet facing router that I need to run vrf aware ipsec. I will have primary and secondary tunnels to remote end. I will be using public ip addresses on the loopbacks to source traffic .They will be peering BGP over the tunnels. Please advise on attached configs. I don't have the option to run VTI currently with the remote client.

Thanks in Advance

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Advisor

You are using pre-shared keys

You are using pre-shared keys based on IP addresses, so get rid of:

crypto isakmp identity hostname

You don't need to use lookback's.  You can make the tunnel source the outside IP address (in the "internet" vrf).  Then just add a "tunnel key x" on each tunnel, where "x" uniquely identifies the tunnel.

View solution in original post

Highlighted
Advisor

Yes to adding in sequentially

Yes to adding in sequentially numbered access lists.

Probably not for isakmp profile.  Just add more keys to your keyring, and more "match" clauses.

Yes to using unique tunnel keys.

Try and move to VTI as soon as you can.  Much less time involved setting up and supporting it.

View solution in original post

3 REPLIES 3
Highlighted
Advisor

You are using pre-shared keys

You are using pre-shared keys based on IP addresses, so get rid of:

crypto isakmp identity hostname

You don't need to use lookback's.  You can make the tunnel source the outside IP address (in the "internet" vrf).  Then just add a "tunnel key x" on each tunnel, where "x" uniquely identifies the tunnel.

View solution in original post

Beginner

Thanks Phillip. And if you

Thanks Phillip. And if you want to scale up for multiple connections/ipsec terminations if you have a crypto map on the outside interface you can just keep adding multiple crypto maps with sequential numbering. Then you'd need to build out seperate isakmp profiles and you could also add tunnel keys per tunnel ?

Highlighted
Advisor

Yes to adding in sequentially

Yes to adding in sequentially numbered access lists.

Probably not for isakmp profile.  Just add more keys to your keyring, and more "match" clauses.

Yes to using unique tunnel keys.

Try and move to VTI as soon as you can.  Much less time involved setting up and supporting it.

View solution in original post