vrf aware ipsec with dyanamic peer (answered)

Manoj Buddhika · ‎02-01-2011

                                    |               |         |           |            |          |     lo1 vrf customerA 192.168.100.1/24
   lo0 192.168.1.1/24      | spokeA |---------| C7301 |------------| Hub   |
                                    |               |         |           |            |          |     lo2 vrf customerB 192.168.100.1/24

I am trying to test ipsec aware vrf with dynamic ip address. I used C7301 router as dhcp server so spokeA router get ip address from that router.

these are my configs. but I still cat form a ipsec connection. pls help me

Hub configs

hub#
hub#show run
hub#show running-config
Building configuration...

Current configuration : 2245 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hub
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip vrf customerA
description Customer A
!
ip vrf customerB
description Customer B
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
crypto keyring customerA-vpn vrf customerA
pre-shared-key address 0.0.0.0 0.0.0.0 key VPN
crypto keyring customerB-vpn vrf customerB
pre-shared-key address 0.0.0.0 0.0.0.0 key VPN
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile customerA
   vrf customerA
   keyring customerA-vpn
   match identity address 0.0.0.0
crypto isakmp profile customerB
   vrf customerB
   keyring customerB-vpn
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set T-SET esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAPA 10
set transform-set T-SET
set isakmp-profile customerA
match address 101
!
!
crypto map VPNA 10 ipsec-isakmp dynamic DYNMAPA
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback1
ip vrf forwarding customerA
ip address 192.168.100.1 255.255.255.0
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
no ip address
duplex auto
speed auto
!
interface FastEthernet0.10
description Connected to Customer A
encapsulation dot1Q 10
ip vrf forwarding customerA
ip address 10.10.1.1 255.255.255.252
crypto map VPNA
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route vrf customerA 0.0.0.0 0.0.0.0 10.10.1.2
ip route vrf customerB 0.0.0.0 0.0.0.0 10.10.2.2
ip http server
no ip http secure-server
!
!
!
access-list 101 remark **Site-to-site VPN for Customer A & B**
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

----------------------

c7301#show run
c7301#show running-config
Building configuration...

Current configuration : 1161 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c7301
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
no ip domain lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 11.11.1.1
!
ip dhcp pool POOL1
network 11.11.1.0 255.255.255.0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller ISA 1/1
!
!
!
!
!
interface GigabitEthernet0/0
ip address 11.11.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 10.10.1.2 255.255.255.252
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 10.10.2.2 255.255.255.252
!
interface GigabitEthernet0/2
ip address 11.11.2.1 255.255.255.0
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

===============================

spokeA configs

spokeA#show run
spokeA#show running-config
Building configuration...

Current configuration : 1424 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname spokeA
!
boot-start-marker
boot config flash:startup-config.cfg
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key VPN address 10.10.1.1
!
!
crypto ipsec transform-set T-SET esp-3des esp-sha-hmac
!
crypto map VPNA 10 ipsec-isakmp
set peer 10.10.1.1
set transform-set T-SET
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0
ip address dhcp
duplex auto
speed auto
crypto map VPNA
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 11.11.1.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

spokeA#

pls someone tell me where I am wrong and how to fix it

thank you

Marcin Latosiewicz · ‎02-01-2011

Manoj,

The diagram you attached is not clear.

Do you want front and inside VRF to be the same? In this case you need to correct the match identity statements to contain fvrf.

Have a look at excelet article by Nico:

https://supportforums.cisco.com/docs/DOC-13524

Marcin

Manoj Buddhika · ‎02-01-2011

Marcin and all,

Thank you very much for promt reply.

here I attached my diagram again in a jpeg file.pls take a look at.

yes I want front and inside vrf the same. yeah I already read that article u mentioned.

I could configure vrf aware ipsec when the spoke has fixed ip address. It worked properly. But in this case what I am trying to do is spoke router

doesnt have a fix ip address. It takes it internet face ip address from a dhcp server.

So from the hub router it doesnt no the exact ip address of the spoke router to which it form a ipsec connection. thats why I am using match identity address command like this.

crypto keyring customerA-vpn vrf customerA
pre-shared-key address 0.0.0.0 0.0.0.0 key VPN

if you have any other points to clear about feel free to ask me.

Thankyou verymuch.

Marcin Latosiewicz · ‎02-02-2011

Hi Manoj,

This is just the keyring it will identify what keys should be assined to which hosts in particular VRF.

What I meant was this:

crypto isakmp profile customerA
   vrf customerA
   keyring customerA-vpn
   match identity address 0.0.0.0

From example Nico provided:


crypto isakmp profile cust1-ike-prof
   vrf cust1-vrf
   keyring internet-keyring
   match identity address 10.1.1.2 255.255.255.255 internet-vrf
   isakmp authorization list default

You're missing fvrf from your match identity if front vrf is not global.

Where is the negatiation failing? Can you attach debugs?

Marcin

Bastien Migette · ‎02-02-2011

Hello Manoj,

I've loaded your config into some devices and it work with slight modifications on the profile as Marcin told you:

DHCP Server
!
ip dhcp pool POOL1
network 11.11.1.0 255.255.255.0
!
interface FastEthernet1/0
ip address 11.11.1.1 255.255.255.0
!
interface FastEthernet1/1.10
encapsulation dot1Q 10
ip address 10.10.1.2 255.255.255.252
!
interface FastEthernet1/1.20
encapsulation dot1Q 20
ip address 10.10.2.2 255.255.255.252
!

SPOKE A
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key VPN address 10.10.1.1
!
!
crypto ipsec transform-set T-SET esp-3des esp-sha-hmac
!
crypto map VPNA 10 ipsec-isakmp
set peer 10.10.1.1
set transform-set T-SET
match address 101
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet1/0
ip address dhcp
crypto map VPNA
!
ip route 0.0.0.0 0.0.0.0 11.11.1.1
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
!

HUB
!
ip vrf customerA
description Customer A
!
ip vrf customerB
description Customer B
!
crypto keyring customerA-vpn vrf customerA
pre-shared-key address 0.0.0.0 0.0.0.0 key VPN
crypto keyring customerB-vpn vrf customerB
pre-shared-key address 0.0.0.0 0.0.0.0 key VPN
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile customerA
   vrf customerA
   keyring customerA-vpn
   match identity address 11.11.1.0 255.255.255.0 customerA
crypto isakmp profile customerB
   vrf customerB
   keyring customerB-vpn
   match identity address 11.11.2.0 255.255.255.0 customerB
!
crypto ipsec transform-set T-SET esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAPA 10
set transform-set T-SET
set isakmp-profile customerA
match address 101
!
crypto map VPNA 10 ipsec-isakmp dynamic DYNMAPA
!
!
interface Loopback1
ip vrf forwarding customerA
ip address 192.168.100.1 255.255.255.0
!
interface FastEthernet1/0
no ip address
!
interface FastEthernet1/0.10
description Connected to Customer A
encapsulation dot1Q 10
ip vrf forwarding customerA
ip address 10.10.1.1 255.255.255.252
crypto map VPNA
!
ip route vrf customerA 0.0.0.0 0.0.0.0 10.10.1.2
ip route vrf customerB 0.0.0.0 0.0.0.0 10.10.2.2
!
access-list 101 remark **Site-to-site VPN for Customer A & B**
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
!

spokeA#ping 192.168.100.1 source loopback0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/245/300 ms
spokeA#

hub#sh crypto session
Crypto session current status

Interface: FastEthernet1/0.10
Profile: customerA
Session status: UP-ACTIVE
Peer: 11.11.1.2 port 500
IKEv1 SA: local 10.10.1.1/500 remote 11.11.1.2/500 Active
IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 2, origin: dynamic crypto map

Manoj Buddhika · ‎02-02-2011

Bastien and Marcin,

Thankyou very much for ur advice. It is working with that modification you mention.

Now I am trying to move to next step by using a host name instead of peer ip address like below.

crypto keyring customerA-vpn vrf customerA
pre-shared-key hostname HOSTA key VPN

----and

crypto isakmp profile customerA
   vrf customerA
   keyring customerA-vpn
   match identity host HOSTA customerA

looking forward to cunsult you if I find any trouble there.

thankyou

Bastien Migette · ‎02-03-2011

Hello Manoj,

Glad that that helped.

If your issue is resolved, please mark the thread as answered and/or rate the useful posts