VRF Aware IPSEC Using NAT

networking flowtraders · ‎06-02-2011

I seem to be having issues with getting IPSEC to run when I use NAT, with no NAT this works perfectly fine but with NAT, the ACL to the Crypto Map does not get hit. I am currently trying to test for a new deployment, as we connect to many 3rd parties for services, and I want to use a VRF per connection, to keep the NAT Tables seperate.

below is my configuration from the VPN Router, this is a 3745, running C3745-ADVENTERPRISEK9-M, Version 12.4(25c).

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip vrf CUST1
rd 30:30
route-target export 30:30
route-target import 30:30
!
ip vrf CUST2
rd 40:40
route-target export 40:40
route-target import 40:40
!
ip vrf CUST3
rd 50:50
route-target export 50:50
route-target import 50:50
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto keyring CUST2_KEY
description PSK for Router 4
pre-shared-key address 10.1.0.6 key markspence
crypto keyring CUST3_KEY
description PSK for Router 5
pre-shared-key address 10.1.0.10 key markspence
crypto keyring CUST1_KEY
description PSK for Router 3
pre-shared-key address 10.1.0.2 key markspence
no crypto xauth FastEthernet0/1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile CUST1_PROF
   vrf CUST1
   keyring CUST1_KEY
   match identity address 10.1.0.2 255.255.255.255
crypto isakmp profile CUST2_PROF
   vrf CUST2
   keyring CUST2_KEY
   match identity address 10.1.0.6 255.255.255.255
crypto isakmp profile CUST3_PROF
   vrf CUST3
   keyring CUST3_KEY
   match identity address 10.1.0.10 255.255.255.255
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CUST1_VRF 10 ipsec-isakmp
set peer 10.1.0.2
set transform-set ESP-3DES-SHA
set isakmp-profile CUST1_PROF
match address CUST_ACL
crypto map CUST1_VRF 20 ipsec-isakmp
set peer 10.1.0.6
set transform-set ESP-3DES-SHA
set isakmp-profile CUST2_PROF
match address CUST2_ACL
crypto map CUST1_VRF 30 ipsec-isakmp
set peer 10.1.0.10
set transform-set ESP-3DES-SHA
set isakmp-profile CUST3_PROF
match address CUST3_ACL
!
interface FastEthernet0/0
description connection to R1 Internal
ip vrf receive CUST1
ip vrf receive CUST2
ip vrf receive CUST3
ip address 10.0.0.2 255.255.255.252
ip nat enable
ip policy route-map VRF_PBR
speed 100
full-duplex
!
interface FastEthernet0/1
description connection to R1 External
ip address 192.168.0.2 255.255.255.252
ip nat enable
speed 100
full-duplex
crypto map CUST1_VRF
!
router ospf 100
router-id 10.254.254.6
log-adjacency-changes
redistribute static subnets route-map REDISTRIBUTE_STATIC
passive-interface default
no passive-interface FastEthernet0/0
no passive-interface FastEthernet0/1
network 10.0.0.0 0.255.255.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.1 name Default_Gateway_Global
ip route 30.30.30.0 255.255.255.0 192.168.0.1 name into_OSPF_Global
ip route 40.40.40.0 255.255.255.0 192.168.0.1 name OSPF_Global
ip route 50.50.50.0 255.255.255.0 192.168.0.1 name into_OSPF_Global
ip route vrf CUST1 10.0.0.0 255.255.0.0 10.0.0.1 global
ip route vrf CUST1 10.1.0.2 255.255.255.255 192.168.0.1 global
ip route vrf CUST1 30.30.30.0 255.255.255.0 192.168.0.1 global
ip route vrf CUST2 0.0.0.0 0.0.0.0 192.168.0.1 global
ip route vrf CUST2 10.0.0.0 255.255.0.0 10.0.0.1 global
ip route vrf CUST2 10.1.0.6 255.255.255.255 192.168.0.1 global
ip route vrf CUST2 10.10.0.0 255.255.0.0 10.0.0.1 global
ip route vrf CUST3 0.0.0.0 0.0.0.0 192.168.0.1 global
ip route vrf CUST3 10.0.0.0 255.255.0.0 10.0.0.1 global
ip route vrf CUST3 50.50.50.0 255.255.255.0 192.168.0.1 global
!
!
no ip http server
no ip http secure-server
ip nat pool CUST3_NAT_POOL 192.168.20.1 192.168.20.1 netmask 255.255.255.0 add-route
ip nat source list CUST3_NAT_SOURCE pool CUST3_NAT_POOL vrf CUST3 overload
ip nat source static 10.10.10.1 192.168.10.1 vrf CUST2
!
ip access-list standard Supplier1
permit 30.30.30.0 0.0.0.255
permit 40.40.40.0 0.0.0.255
permit 50.50.50.0 0.0.0.255
!
ip access-list extended CUST2_ACL
permit ip any 40.40.40.0 0.0.0.255
ip access-list extended CUST3_ACL
permit ip host 192.168.20.1 host 50.50.50.1
ip access-list extended CUST3_NAT_SOURCE
permit ip host 10.0.0.1 host 50.50.50.1
permit ip host 10.10.10.1 host 50.50.50.1
ip access-list extended CUST_ACL
permit ip any 30.30.30.0 0.0.0.255
ip access-list extended PBR_VRF_2
permit ip any 30.30.30.0 0.0.0.255
ip access-list extended PBR_VRF_3
permit ip any 40.40.40.0 0.0.0.255
ip access-list extended PBR_VRF_4
permit ip 10.0.0.0 0.255.255.255 50.50.50.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 50.50.50.0 0.0.0.255
!
!
route-map REDISTRIBUTE_STATIC permit 10
match ip address Supplier1
!
route-map VRF_PBR permit 10
match ip address PBR_VRF_2
set vrf CUST1
!
route-map VRF_PBR permit 20
match ip address PBR_VRF_3
set vrf CUST2
!
route-map VRF_PBR permit 30
match ip address PBR_VRF_4
set vrf CUST3
!
!
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

R6#

If I create an Interface inside either VRF CUST2 or CUST3, and use this to ping from, then the Crypto Map ACL is hit and it all works perfectly fine.

And the VRF CUST1, as it has not NAT attached to it, works perfectly fine. but CUST2 and CUST3 does not work, although I debug ip NAT and I see the translations, and the router upstream reports the destination address unroutable, and I also see the route-map counters going up at the same time. (so it goes out of the VRF Interface, but just not encrypted)...

Any help here would be much appreciated.

Thanks