cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1223
Views
10
Helpful
3
Replies

VRF aware IPsec with SVTI

alex.f.
Level 1
Level 1

Hi,

I'm building a VRF aware IPsec with SVTI through a BGP Network.
I followed some example Config like:
https://integratingit.wordpress.com/2021/05/01/ikev2-vrf-aware-crypto-map-vpn/
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/214938-configuring-ikev2-vrf-aware-svti.html
http://www.amolak.net/vrf-aware-ipsec-vpn-part-1/

Here my question:
Why is there no traffic through the Tunnel?

I can't ping the tunnel Interfaces or from the VRF Source through the Tunnel !
BGP Routing is working !
Tunnel seems to be up !


please Help 

kind regards
Alex

 Lab Config:
R1 --- R2 --- R3
VRF --- BGP --- VRF
Tu1 --- BGP --- Tu1

=================================== R1 ===================================
R
1#sh run
Building configuration...

Current configuration : 2984 bytes
!
! Last configuration change at 11:53:05 CET Sun Aug 29 2021
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
vrf definition DFN-L3VPN
 rd 2:1
 route-target export 2:1
 route-target import 2:1
 !
 address-family ipv4
 exit-address-family
!
vrf definition Sprache-AST
 rd 20:1
 route-target export 20:1
 route-target import 20:1
 !
 address-family ipv4
 exit-address-family
!
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
ip vrf DFN-X
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip vrf Daten-AST
 rd 10:1
 route-target export 10:1
 route-target import 10:1
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!         

!
crypto ikev2 proposal PROP1 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
crypto ikev2 policy POLICY_IKEV2 
 match fvrf DFN-L3VPN
 match address local 188.100.1.2
 proposal PROP1
!
crypto ikev2 keyring KEYRING1
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
 !
!
!
crypto ikev2 profile IKEv2-PROF1
 match fvrf DFN-L3VPN
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING1
 ivrf Sprache-AST
!
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac 
 mode transport
!
crypto ipsec profile IPSEC-PROF1
 set transform-set TS1 
 set ikev2-profile IKEv2-PROF1
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel1
 vrf forwarding Sprache-AST
 ip address 172.27.1.5 255.255.255.252
 tunnel source 188.100.1.2
 tunnel destination 188.100.3.2
 tunnel key 777
 tunnel vrf DFN-L3VPN
 tunnel protection ipsec profile IPSEC-PROF1
!
interface Ethernet0/0
 ip vrf forwarding DFN-X
 ip address 188.0.1.2 255.255.255.252
!
interface Ethernet0/0.101
 encapsulation dot1Q 101
 vrf forwarding DFN-L3VPN
 ip address 188.100.1.2 255.255.255.252
!
interface Ethernet0/1
 ip vrf forwarding Daten-AST
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
 vrf forwarding Sprache-AST
 ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/3
 no ip address
!
router bgp 65501
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf DFN-L3VPN
  bgp router-id 1.1.1.1
  network 172.27.1.4 mask 255.255.255.252
  neighbor 188.100.1.1 remote-as 680
  neighbor 188.100.1.1 activate
 exit-address-family
 !
 address-family ipv4 vrf DFN-X
  bgp router-id 1.1.1.1
  neighbor 188.0.1.1 remote-as 680
  neighbor 188.0.1.1 activate
 exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf DFN-L3VPN 0.0.0.0 0.0.0.0 188.100.1.1
ip route vrf Sprache-AST 192.168.33.0 255.255.255.0 Tunnel1
!
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login    
 transport input all
!
!
end

R1#sh crypto sess
Crypto session current status

Interface: Tunnel1
Session status: UP-ACTIVE     
Peer: 188.100.3.2 port 500 
  IKEv2 SA: local 188.100.1.2/500 remote 188.100.3.2/500 Active 
  IPSEC FLOW: permit 47 host 188.100.1.2 host 188.100.3.2 
        Active SAs: 2, origin: crypto map

R1#


Routing Table: DFN-L3VPN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      188.0.0.0/30 is subnetted, 2 subnets
B        188.0.1.0 [20/0] via 188.100.1.1, 1d00h
B        188.0.3.0 [20/0] via 188.100.1.1, 1d00h
      188.100.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        188.100.1.0/30 is directly connected, Ethernet0/0.101
L        188.100.1.2/32 is directly connected, Ethernet0/0.101
B        188.100.3.0/30 [20/0] via 188.100.1.1, 1d00h
R1#

R1#sh cry ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         188.100.1.2/500       188.100.3.2/500       DFN-L3VPN/Sprache-   READY  
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1709 sec

 IPv6 Crypto IKEv2  SA 

R1#

=================================== R1END ===================================

=================================== R2 ===================================

R2#sh run
Building configuration...

Current configuration : 1444 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!         
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!

!
!
!         
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Ethernet0/0
 no ip address
!
interface Ethernet0/1
 ip address 188.0.1.1 255.255.255.252
!
interface Ethernet0/1.101
 encapsulation dot1Q 101
 ip address 188.100.1.1 255.255.255.252
!
interface Ethernet0/2
 no ip address
!
interface Ethernet0/3
 ip address 188.0.3.1 255.255.255.252
!
interface Ethernet0/3.101
 encapsulation dot1Q 101
 ip address 188.100.3.1 255.255.255.252
!
router bgp 680
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 network 188.0.1.0 mask 255.255.255.252
 network 188.0.3.0 mask 255.255.255.252
 network 188.100.1.0 mask 255.255.255.252
 network 188.100.3.0 mask 255.255.255.252
 neighbor 188.0.1.2 remote-as 65501
 neighbor 188.0.3.2 remote-as 65502
 neighbor 188.100.1.2 remote-as 65501
 neighbor 188.100.3.2 remote-as 65502
!
ip forward-protocol nd
!
!         
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
!
end       

=================================== R2 END ===================================

=================================== R3 ===================================
R3#sh run
Building configuration...

Current configuration : 3032 bytes
!
! Last configuration change at 11:43:41 CET Sun Aug 29 2021
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
vrf definition DFN-L3VPN
 rd 2:1
 route-target export 2:1
 route-target import 2:1
 !
 address-family ipv4
 exit-address-family
!
vrf definition Sprache-AST
 rd 20:1
 route-target export 20:1
 route-target import 20:1
 !
 address-family ipv4
 exit-address-family
!
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
ip vrf DFN-X
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip vrf Daten-AST
 rd 10:1
 route-target export 10:1
 route-target import 10:1
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!         

!
crypto ikev2 proposal PROP1 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
crypto ikev2 policy POLICY_IKEV2 
 match fvrf DFN-L3VPN
 match address local 188.100.3.2
 proposal PROP1
!
crypto ikev2 keyring KEYRING1
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
 !
!
!
crypto ikev2 profile IKEv2-PROF1
 match fvrf DFN-L3VPN
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING1
 ivrf Sprache-AST
!
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac 
 mode transport
!
crypto ipsec profile IPSEC-PROF1
 set transform-set TS1 
 set ikev2-profile IKEv2-PROF1
!
!
!
crypto map CMAP 1 ipsec-isakmp 
 ! Incomplete
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
!
interface Tunnel1
 vrf forwarding Sprache-AST
 ip address 172.27.1.6 255.255.255.252
 tunnel source 188.100.3.2
 tunnel destination 188.100.1.2
 tunnel key 777
 tunnel vrf DFN-L3VPN
 tunnel protection ipsec profile IPSEC-PROF1
!
interface Ethernet0/0
 ip vrf forwarding DFN-X
 ip address 188.0.3.2 255.255.255.252
!
interface Ethernet0/0.101
 encapsulation dot1Q 101
 vrf forwarding DFN-L3VPN
 ip address 188.100.3.2 255.255.255.252
!
interface Ethernet0/1
 ip vrf forwarding Daten-AST
 ip address 192.168.30.1 255.255.255.0
!
interface Ethernet0/2
 vrf forwarding Sprache-AST
 ip address 192.168.33.1 255.255.255.0
!
interface Ethernet0/3
 no ip address
!
router bgp 65502
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf DFN-L3VPN
  bgp router-id 3.3.3.3
  network 172.27.1.6 mask 255.255.255.255
  neighbor 188.100.3.1 remote-as 680
  neighbor 188.100.3.1 activate
 exit-address-family
 !
 address-family ipv4 vrf DFN-X
  bgp router-id 3.3.3.3
  neighbor 188.0.3.1 remote-as 680
  neighbor 188.0.3.1 activate
 exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf DFN-L3VPN 0.0.0.0 0.0.0.0 188.100.3.1
ip route vrf Sprache-AST 192.168.11.0 255.255.255.0 Tunnel1
!
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
!
end


R3#sh ip route vrf DFN-L3VPN

Routing Table: DFN-L3VPN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      188.0.0.0/30 is subnetted, 2 subnets
B        188.0.1.0 [20/0] via 188.100.3.1, 1d01h
B        188.0.3.0 [20/0] via 188.100.3.1, 1d01h
      188.100.0.0/16 is variably subnetted, 3 subnets, 2 masks
B        188.100.1.0/30 [20/0] via 188.100.3.1, 1d01h
C        188.100.3.0/30 is directly connected, Ethernet0/0.101
L        188.100.3.2/32 is directly connected, Ethernet0/0.101
R3#

R3#sh crypto ses
Crypto session current status

Interface: Tunnel1
Session status: UP-ACTIVE     
Peer: 188.100.1.2 port 500 
  IKEv2 SA: local 188.100.3.2/500 remote 188.100.1.2/500 Active 
  IPSEC FLOW: permit 47 host 188.100.3.2 host 188.100.1.2 
        Active SAs: 2, origin: crypto map

R3#sh cr
R3#sh cry
R3#sh crypto ik
R3#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         188.100.3.2/500       188.100.1.2/500       DFN-L3VPN/Sprache-   READY  
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1664 sec

 IPv6 Crypto IKEv2  SA 

R3#
=================================== R3 END ===================================

 

 

 

 

1 Accepted Solution

Accepted Solutions

@alex.f. 

You don't need to specify ivrf Sprache-AST under the IKEv2 profile when using a tunnel interface. Remove from both router configuration and bounce the tunnels. If still a problem please provide the output of "show crypto ipsec sa" from both routers.

View solution in original post

3 Replies 3

@alex.f. 

You don't need to specify ivrf Sprache-AST under the IKEv2 profile when using a tunnel interface. Remove from both router configuration and bounce the tunnels. If still a problem please provide the output of "show crypto ipsec sa" from both routers.

Hi Rob,

Now it works.

Thank you

 

yes, you are right.

I removed the ivrf under the IKEv2 profile and added "tunnel mode ipsec ipv4" on the tu1.

 

you can find the config for R1 and R3 in the download section.

 

 

Good Jobs 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: