Re: VRF aware IPSEC

michelcaissie · ‎11-30-2005

Hi,

Anyone familiar with VRF aware IPSEC ?

I am trying to establish two tunnels with two sites having overlapping IP addresses. I want to configure all NATing in the Hub router.

I used the following guide but all this is new for me...

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part17/ch10/h_vrfip.htm

In my example Site1 is translated with the subnet 172.30.4.0 /24.

(1.1.1.1)PIX-Site1====10.10.4.0/24

/

2.2.2.0/24====ROUTER(1.1.1.3)=====

\

(1.1.1.2)PIX-Site2====10.10.4.0/24

My first tests was with no VRF and just one site , with a standard config and it worked well.But after adding the VRF part the crypto-map is no longer triggered.

I have debug crypto engine on the router and nothing happens.

Here is part of my router's configuration. Any help would be appreciated

ip vrf site1

rd 101:1

route-target export 101:1

route-target import 101:1

!

ip vrf site2

rd 102:1

route-target export 102:1

route-target import 102:1

!

ip cef

!

crypto keyring site1 vrf site1

pre-shared-key address 1.1.1.1 key vpnidsite1

crypto keyring site2 vrf site2

pre-shared-key address 1.1.1.2 key vpnidsite2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp profile site1

vrf site1

keyring site1

match identity address 1.1.1.1 255.255.255.255

crypto isakmp profile site2

vrf site2

keyring site2

match identity address 1.1.1.2 255.255.255.255

!

crypto ipsec transform-set 3des-sha ah-sha-hmac esp-3des

!

crypto map crymap 1 ipsec-isakmp

set peer 1.1.1.1

set transform-set 3des-sha

set pfs group2

set isakmp-profile site1

match address 2001

crypto map crymap 2 ipsec-isakmp

set peer 1.1.1.2

set transform-set 3des-sha

set pfs group2

set isakmp-profile site2

match address 2002

!

interface Ethernet0

ip address 2.x.x.x.x.255.0

ip nat inside

!

interface Ethernet1

ip address 1.1.1.3 255.255.255.0

ip nat outside

crypto map crymap

!

ip nat outside source static network 10.10.4.0 172.30.4.0 /24 vrf site1

ip nat outside source static network 10.10.4.0 172.30.5.0 /24 vrf site2

ip route 0.0.0.0 0.0.0.0 1.1.1.10

ip route vrf site1 10.10.4.0 255.255.255.0 1.1.1.1 global

ip route vrf site2 10.10.4.0 255.255.255.0 1.1.1.2 global

!

access-list 2001 permit ip 2.2.2.0 0.0.0.255 10.10.4.0 0.0.0.255 log

access-list 2002 permit ip 2.2.2.0 0.0.0.255 10.10.4.0 0.0.0.255

m.singer · ‎12-06-2005

If you have a limited number of registered IP addresses and you cannot use PAT, you can configure PIX Firewall to use NAT for connections to the public Internet, but avoid NAT for traffic between the two intranets. This configuration might also be useful if you were replacing a direct, leased-line connection between two intranets.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html

jsteffensen · ‎02-28-2006

Hi

I'am having a simular situation:

a Hub Router and 2 Spoke routers with overlapping LAN - IP Address-range.

(The config looks very simular to yours, I am using route-maps to get the different local host to the different VRF's.)

My key issue is that i need to do nat on the HUB Router - i need to translate the host on the local HUB-LAN into IP-Adresses defined by the Administraors of the different Spoke-LAN's.

I have no idea how to get the traffic NAT'ed properly (after route-map , before IPSEC).

If you have any idea / if you've solved the problem

- please let me know.

Best Regards

Jarle Steffensen

michelcaissie · ‎03-01-2006

Unfortunately , i never got it to work. I am still working with NAT at the Spokes for now. But i could not make it work in lab , even with non-overlapping subnets. It's more the vrf stuff that i don't understand enough. If you have a working vrf aware IPSEC config without NAT , can you post it ? I could start from there and do NAT tests on my side also.

thanks

jsteffensen · ‎03-16-2006

Hi Mike

Here is a Workîng Configuration:

(first without and then with NAT)

VRF Router:

ip vrf VRF1

rd 1:101

route-target both 1:101

ip vrf VRF2

rd 2:101

route-target both 2:101

crypto keyring VRFKR1

descr Repository of ISAKMP preshared keys for VRF1

pre-shared-key address 172.16.1.2 key SecretKey

crypto keyring VRFKR2

descr Repository of ISAKMP preshared keys for VRF2

pre-shared-key address 172.16.1.3 key VerySecretKey

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 14400

crypto isakmp profile ISAKMP-VRF1

vrf VRF1

match identity address 172.16.1.2 255.255.255.255

keyring VRFKR1

crypto isakmp profile ISAKMP-VRF2

vrf VRF2

match identity address 172.16.1.3 255.255.255.255

keyring VRFKR2

crypto ipsec nat-transparency udp-encapsulation

crypto ipsec security-association lifetime seconds 3600

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map IPSEC 10 ipsec-isakmp

set peer 172.16.1.2

set transform-set ESP-3DES-MD5

set isakmp-profile ISAKMP-VRF1

match address 2001

crypto map IPSEC 11 ipsec-isakmp

set peer 172.16.1.3

set transform-set ESP-3DES-MD5

set isakmp-profile ISAKMP-VRF2

match address 2002

access-list 2001 permit ip 10.145.48.201 0.0.0.0 10.47.1.0 0.0.0.255

access-list 2002 permit ip 10.145.48.0 0.0.0.255 10.47.1.0 0.0.0.255

access-list 21 permit 10.145.48.201 0.0.0.0

access-list 22 permit 10.145.48.202 0.0.0.0

route-map VRF-Selection permit 10

match ip address 21

set vrf VRF1

route-map VRF-Selection permit 20

match ip address 22

set vrf VRF2

int g 0/1

crypto map IPSEC

ip address 172.16.2.2 255.255.255.0

interface gigabit 0/0

ip address 10.145.48.11 255.255.255.0

ip policy route-map VRF-Selection

ip vrf receive VRF1

ip vrf receive VRF2

ip route 172.16.1.0 255.255.255.0 172.16.2.1

ip route vrf VRF1 10.47.1.0 255.255.255.0 172.16.2.1 global

ip route vrf VRF2 10.47.1.0 255.255.255.0 172.16.2.1 global

ip route vrf VRF1 10.47.1.0 255.255.255.0 172.16.2.1 global

ip route vrf VRF2 10.47.1.0 255.255.255.0 172.16.2.1 global

Inclusive NAT

ip nat inside source static network 10.145.48.0 10.47.2.0 /24 vrf VRF1

ip nat inside source static network 10.145.48.0 10.47.3.0 /24 vrf VRF2

int g 0/0

ip nat inside

int g 0/1

ip nat outside

access-list 2001 permit ip 10.47.2.0 0.0.0.255 10.47.1.0 0.0.0.255

access-list 2002 permit ip 10.47.3.0 0.0.0.255 10.47.1.0 0.0.0.255

Router Remote Site A

host RouterA

int f 0/0

ip address 172.16.1.2 255.255.255.0

ip nat outside

int f 0/1

ip address 10.47.1.1 255.255.255.0

ip nat inside

enable password xxx

line vty 0 4

password xxx

ip route 0.0.0.0 0.0.0.0 172.16.1.1

ip nat inside source list 101 int fastEthernet 0/0

no access-list 101

access-list 101 deny ip 10.47.1.0 0.0.0.255 10.145.48.0 0.0.0.255

access-list 101 permit ip 10.47.1.0 0.0.0.255 any

crypto isakmp key SecretKey address 172.16.2.2

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 14400

crypto ipsec security-association lifetime seconds 3600

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map IPSEC 10 ipsec-isakmp

set peer 172.16.2.2

set transform-set ESP-3DES-MD5

match address 191

access-list 191 permit ip 10.47.1.0 0.0.0.255 10.145.48.0 0.0.0.255

int f0/0

crypto map IPSEC

Inclusive NAT:

no access-list 191

access-list 191 permit ip 10.47.1.0 0.0.0.255 10.47.2.0 0.0.0.255

no access-list 101

access-list 101 deny ip 10.47.1.0 0.0.0.255 10.47.2.0 0.0.0.255

access-list 101 permit ip 10.47.1.0 0.0.0.255 any

Have Fun

Jarle