Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1026
Views
0
Helpful
2
Replies

vrf-aware IPSec vs crypto maps for multiple tunnels

Go to solution
Murali
Level 1
Level 1

‎08-19-2015 04:29 AM - edited ‎02-21-2020 08:24 PM

Hello everyone !

 

I came to know that we can use the same public ip for creating multiple tunnels to different sites using crypto-maps with multiple lines each representing a reference to a particular tunnel and using vrf aware IPsec  but I would like to know what are differences / advantages / caveats .

 

Thanks for your time

Murali.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-19-2015 07:48 AM

Murali

As far as I understand it the feature basically allows you to have multiple IPSEC tunnels and the traffic within the tunnel ie. the source and destination IPs of the end devices can be in different VRFs.

So it works primarily with MPLS VPNs ie. if you had multiple MPLS VPNs each with their own VRF you could then run ISPEC tunnels across the MPLS network and when the packets are received they are automatically in the correct VRF.

You couldn't do this normal crypto maps ie. you could still terminate multiple IPSEC tunnels on one public IP but the traffic would then all be in the same global routing table.

So the advantage is primarily the same as you get with any VRF setup ie. logical separation of traffic on a single device.

Can't really say much about caveats as I have never used it but there are certain restrictions.

See this link for full details -

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/asr1000/sec-ike-for-ipsec-vpns-xe-3s-asr1000-book/sec-vrf-aware-ipsec.html

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-19-2015 07:48 AM

Murali

As far as I understand it the feature basically allows you to have multiple IPSEC tunnels and the traffic within the tunnel ie. the source and destination IPs of the end devices can be in different VRFs.

So it works primarily with MPLS VPNs ie. if you had multiple MPLS VPNs each with their own VRF you could then run ISPEC tunnels across the MPLS network and when the packets are received they are automatically in the correct VRF.

You couldn't do this normal crypto maps ie. you could still terminate multiple IPSEC tunnels on one public IP but the traffic would then all be in the same global routing table.

So the advantage is primarily the same as you get with any VRF setup ie. logical separation of traffic on a single device.

Can't really say much about caveats as I have never used it but there are certain restrictions.

See this link for full details -

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/asr1000/sec-ike-for-ipsec-vpns-xe-3s-asr1000-book/sec-vrf-aware-ipsec.html

Jon

0 Helpful

Go to solution
Murali
Level 1
Level 1
In response to Jon Marshall

‎08-19-2015 10:47 PM

Hi Jon,

Thank you ! so the use case for vrf-aware IPSec could be ISP supporting multiple clients , it makes sense to have different routing tables for each customer.

Murali

0 Helpful
Customers Also Viewed These Support Documents