cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1054
Views
0
Helpful
2
Replies

vrf-aware IPSec vs crypto maps for multiple tunnels

Murali
Level 1
Level 1

Hello everyone !

 

I came to know that we can use the same public ip for creating multiple tunnels to different sites using crypto-maps with multiple lines each representing a reference to a particular tunnel and using vrf aware IPsec  but I would like to know what are differences / advantages / caveats .

 

Thanks for your time

Murali.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Murali

As far as I understand it the feature basically allows you to have multiple IPSEC tunnels and the traffic within the tunnel ie. the source and destination IPs of the end devices can be in different VRFs.

So it works primarily with MPLS VPNs ie. if you had multiple MPLS VPNs each with their own VRF you could then run ISPEC tunnels across the MPLS network and when the packets are received they are automatically in the correct VRF.

You couldn't do this normal crypto maps ie. you could still terminate multiple IPSEC tunnels on one public IP but the traffic would then all be in the same global routing table.

So the advantage is primarily the same as you get with any VRF setup ie. logical separation of traffic on a single device.

Can't really say much about caveats as I have never used it but there are certain restrictions.

See this link for full details -

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/asr1000/sec-ike-for-ipsec-vpns-xe-3s-asr1000-book/sec-vrf-aware-ipsec.html

Jon

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Murali

As far as I understand it the feature basically allows you to have multiple IPSEC tunnels and the traffic within the tunnel ie. the source and destination IPs of the end devices can be in different VRFs.

So it works primarily with MPLS VPNs ie. if you had multiple MPLS VPNs each with their own VRF you could then run ISPEC tunnels across the MPLS network and when the packets are received they are automatically in the correct VRF.

You couldn't do this normal crypto maps ie. you could still terminate multiple IPSEC tunnels on one public IP but the traffic would then all be in the same global routing table.

So the advantage is primarily the same as you get with any VRF setup ie. logical separation of traffic on a single device.

Can't really say much about caveats as I have never used it but there are certain restrictions.

See this link for full details -

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/asr1000/sec-ike-for-ipsec-vpns-xe-3s-asr1000-book/sec-vrf-aware-ipsec.html

Jon

Hi Jon,

Thank you ! so the use case for vrf-aware IPSec could be ISP supporting multiple clients , it makes sense to have different routing tables for each customer.

Murali