ā08-29-2021 03:34 AM - edited ā08-29-2021 06:35 AM
Hi,
I'm building a VRF aware IPsec with SVTI through a BGP Network.
I followed some example Config like:
https://integratingit.wordpress.com/2021/05/01/ikev2-vrf-aware-crypto-map-vpn/
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/214938-configuring-ikev2-vrf-aware-svti.html
http://www.amolak.net/vrf-aware-ipsec-vpn-part-1/
Here my question:
Why is there no traffic through the Tunnel?
I can't ping the tunnel Interfaces or from the VRF Source through the Tunnel !
BGP Routing is working !
Tunnel seems to be up !
please Help
kind regards
Alex
Lab Config:
R1 --- R2 --- R3
VRF --- BGP --- VRF
Tu1 --- BGP --- Tu1
=================================== R1 ===================================
R
1#sh run
Building configuration...
Current configuration : 2984 bytes
!
! Last configuration change at 11:53:05 CET Sun Aug 29 2021
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
vrf definition DFN-L3VPN
rd 2:1
route-target export 2:1
route-target import 2:1
!
address-family ipv4
exit-address-family
!
vrf definition Sprache-AST
rd 20:1
route-target export 20:1
route-target import 20:1
!
address-family ipv4
exit-address-family
!
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
ip vrf DFN-X
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf Daten-AST
rd 10:1
route-target export 10:1
route-target import 10:1
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
crypto ikev2 proposal PROP1
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy POLICY_IKEV2
match fvrf DFN-L3VPN
match address local 188.100.1.2
proposal PROP1
!
crypto ikev2 keyring KEYRING1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
!
!
crypto ikev2 profile IKEv2-PROF1
match fvrf DFN-L3VPN
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local KEYRING1
ivrf Sprache-AST
!
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-PROF1
set transform-set TS1
set ikev2-profile IKEv2-PROF1
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel1
vrf forwarding Sprache-AST
ip address 172.27.1.5 255.255.255.252
tunnel source 188.100.1.2
tunnel destination 188.100.3.2
tunnel key 777
tunnel vrf DFN-L3VPN
tunnel protection ipsec profile IPSEC-PROF1
!
interface Ethernet0/0
ip vrf forwarding DFN-X
ip address 188.0.1.2 255.255.255.252
!
interface Ethernet0/0.101
encapsulation dot1Q 101
vrf forwarding DFN-L3VPN
ip address 188.100.1.2 255.255.255.252
!
interface Ethernet0/1
ip vrf forwarding Daten-AST
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
vrf forwarding Sprache-AST
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/3
no ip address
!
router bgp 65501
bgp router-id 3.3.3.3
bgp log-neighbor-changes
!
address-family ipv4 vrf DFN-L3VPN
bgp router-id 1.1.1.1
network 172.27.1.4 mask 255.255.255.252
neighbor 188.100.1.1 remote-as 680
neighbor 188.100.1.1 activate
exit-address-family
!
address-family ipv4 vrf DFN-X
bgp router-id 1.1.1.1
neighbor 188.0.1.1 remote-as 680
neighbor 188.0.1.1 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf DFN-L3VPN 0.0.0.0 0.0.0.0 188.100.1.1
ip route vrf Sprache-AST 192.168.33.0 255.255.255.0 Tunnel1
!
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input all
!
!
end
R1#sh crypto sess
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 188.100.3.2 port 500
IKEv2 SA: local 188.100.1.2/500 remote 188.100.3.2/500 Active
IPSEC FLOW: permit 47 host 188.100.1.2 host 188.100.3.2
Active SAs: 2, origin: crypto map
R1#
Routing Table: DFN-L3VPN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
188.0.0.0/30 is subnetted, 2 subnets
B 188.0.1.0 [20/0] via 188.100.1.1, 1d00h
B 188.0.3.0 [20/0] via 188.100.1.1, 1d00h
188.100.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 188.100.1.0/30 is directly connected, Ethernet0/0.101
L 188.100.1.2/32 is directly connected, Ethernet0/0.101
B 188.100.3.0/30 [20/0] via 188.100.1.1, 1d00h
R1#
R1#sh cry ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 188.100.1.2/500 188.100.3.2/500 DFN-L3VPN/Sprache- READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1709 sec
IPv6 Crypto IKEv2 SA
R1#
=================================== R1END ===================================
=================================== R2 ===================================
R2#sh run
Building configuration...
Current configuration : 1444 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Ethernet0/0
no ip address
!
interface Ethernet0/1
ip address 188.0.1.1 255.255.255.252
!
interface Ethernet0/1.101
encapsulation dot1Q 101
ip address 188.100.1.1 255.255.255.252
!
interface Ethernet0/2
no ip address
!
interface Ethernet0/3
ip address 188.0.3.1 255.255.255.252
!
interface Ethernet0/3.101
encapsulation dot1Q 101
ip address 188.100.3.1 255.255.255.252
!
router bgp 680
bgp router-id 2.2.2.2
bgp log-neighbor-changes
network 188.0.1.0 mask 255.255.255.252
network 188.0.3.0 mask 255.255.255.252
network 188.100.1.0 mask 255.255.255.252
network 188.100.3.0 mask 255.255.255.252
neighbor 188.0.1.2 remote-as 65501
neighbor 188.0.3.2 remote-as 65502
neighbor 188.100.1.2 remote-as 65501
neighbor 188.100.3.2 remote-as 65502
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input all
!
!
end
=================================== R2 END ===================================
=================================== R3 ===================================
R3#sh run
Building configuration...
Current configuration : 3032 bytes
!
! Last configuration change at 11:43:41 CET Sun Aug 29 2021
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
vrf definition DFN-L3VPN
rd 2:1
route-target export 2:1
route-target import 2:1
!
address-family ipv4
exit-address-family
!
vrf definition Sprache-AST
rd 20:1
route-target export 20:1
route-target import 20:1
!
address-family ipv4
exit-address-family
!
!
no aaa new-model
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
ip vrf DFN-X
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf Daten-AST
rd 10:1
route-target export 10:1
route-target import 10:1
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
crypto ikev2 proposal PROP1
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy POLICY_IKEV2
match fvrf DFN-L3VPN
match address local 188.100.3.2
proposal PROP1
!
crypto ikev2 keyring KEYRING1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
!
!
crypto ikev2 profile IKEv2-PROF1
match fvrf DFN-L3VPN
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local KEYRING1
ivrf Sprache-AST
!
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-PROF1
set transform-set TS1
set ikev2-profile IKEv2-PROF1
!
!
!
crypto map CMAP 1 ipsec-isakmp
! Incomplete
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Tunnel1
vrf forwarding Sprache-AST
ip address 172.27.1.6 255.255.255.252
tunnel source 188.100.3.2
tunnel destination 188.100.1.2
tunnel key 777
tunnel vrf DFN-L3VPN
tunnel protection ipsec profile IPSEC-PROF1
!
interface Ethernet0/0
ip vrf forwarding DFN-X
ip address 188.0.3.2 255.255.255.252
!
interface Ethernet0/0.101
encapsulation dot1Q 101
vrf forwarding DFN-L3VPN
ip address 188.100.3.2 255.255.255.252
!
interface Ethernet0/1
ip vrf forwarding Daten-AST
ip address 192.168.30.1 255.255.255.0
!
interface Ethernet0/2
vrf forwarding Sprache-AST
ip address 192.168.33.1 255.255.255.0
!
interface Ethernet0/3
no ip address
!
router bgp 65502
bgp router-id 3.3.3.3
bgp log-neighbor-changes
!
address-family ipv4 vrf DFN-L3VPN
bgp router-id 3.3.3.3
network 172.27.1.6 mask 255.255.255.255
neighbor 188.100.3.1 remote-as 680
neighbor 188.100.3.1 activate
exit-address-family
!
address-family ipv4 vrf DFN-X
bgp router-id 3.3.3.3
neighbor 188.0.3.1 remote-as 680
neighbor 188.0.3.1 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf DFN-L3VPN 0.0.0.0 0.0.0.0 188.100.3.1
ip route vrf Sprache-AST 192.168.11.0 255.255.255.0 Tunnel1
!
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input all
!
!
end
R3#sh ip route vrf DFN-L3VPN
Routing Table: DFN-L3VPN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
188.0.0.0/30 is subnetted, 2 subnets
B 188.0.1.0 [20/0] via 188.100.3.1, 1d01h
B 188.0.3.0 [20/0] via 188.100.3.1, 1d01h
188.100.0.0/16 is variably subnetted, 3 subnets, 2 masks
B 188.100.1.0/30 [20/0] via 188.100.3.1, 1d01h
C 188.100.3.0/30 is directly connected, Ethernet0/0.101
L 188.100.3.2/32 is directly connected, Ethernet0/0.101
R3#
R3#sh crypto ses
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 188.100.1.2 port 500
IKEv2 SA: local 188.100.3.2/500 remote 188.100.1.2/500 Active
IPSEC FLOW: permit 47 host 188.100.3.2 host 188.100.1.2
Active SAs: 2, origin: crypto map
R3#sh cr
R3#sh cry
R3#sh crypto ik
R3#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 188.100.3.2/500 188.100.1.2/500 DFN-L3VPN/Sprache- READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1664 sec
IPv6 Crypto IKEv2 SA
R3#
=================================== R3 END ===================================
Solved! Go to Solution.
ā08-29-2021 08:52 AM
You don't need to specify ivrf Sprache-AST under the IKEv2 profile when using a tunnel interface. Remove from both router configuration and bounce the tunnels. If still a problem please provide the output of "show crypto ipsec sa" from both routers.
ā08-29-2021 08:52 AM
You don't need to specify ivrf Sprache-AST under the IKEv2 profile when using a tunnel interface. Remove from both router configuration and bounce the tunnels. If still a problem please provide the output of "show crypto ipsec sa" from both routers.
ā08-29-2021 02:06 PM
ā08-30-2021 03:44 PM
Good Jobs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide