VRF aware Remote Access on ZBF

mohankumarm · ‎09-26-2013

Hello,

In our environment we have a Zone based firewall on CIsco ASR 1000 XE router, terminating normal IPsec VPN sessions on ZBF. The router has one outgoing physical interface (g0/0/0) connected to ISP as outside Interface and multiple Interfaces on the Inside network on Port channels VLAN/VRF.

The remote access VPN (Easy VPN) is applied using crypto map configuration on the interface connected to ISP.

Now, there was also a requirement to provide IPSec termination on the same physical inteface g0/0/0 to a different customer via a VRF aware Remote access. Two configuration templates were implemented with similar results. IPSec Tunnel comes up fine for the VRF profile but tunnel cannot pass traffic. Ping from IPsec client to an IP address on the Inside network times out and trace route shows that this gets dropped somwhere in the ISP cloud.

Configuration 1 - Crypto Dynamic Map

crypto isakmp policy 15

encr aes 256

authentication pre-share

group 2

crypto isakmp client configuration group admin-vpn

key _____

pool vpn-pool

acl VPN-LIST

crypto isakmp client configuration group centralsTEMP-vpn

key __________

pool centrals vpn-pool

acl VPN-LIST

crypto isakmp profile softclient

match identity group admin-vpn

client authentication list userauth

isakmp authorization list groupauthor

client configuration address respond

crypto isakmp profile centralsoftclient

vrf Branch

match identity group branch-vpn

client authentication list userauth

isakmp authorization list groupauthor

client configuration address respond

crypto ipsec transform-set SECURITYSET esp-aes esp-md5-hmac

mode tunnel

crypto ipsec transform-set branchtemp esp-aes esp-md5-hmac

mode tunnel

crypto dynamic-map branchvpn 10

set transform-set branchtemp

set isakmp-profile centralsoftclient

reverse-route

crypto dynamic-map vpnmap 10

set transform-set SECURITYSET

set isakmp-profile softclient

crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap ---> Normal VPN

crypto map vpnmap 20 ipsec-isakmp dynamic branchvpn --> IPSec Aware VPN

crypto map vpnmap

Configuration 2 - DVTI

crypto ipsec profile branchclient

set transform-set branchtemp

crypto isakmp profile centralsoftclient

vrf global

match identity group centralsTEMP-vpn

client authentication list userauth

isakmp authorization list groupauthor

client configuration address respond

virtual-template 2

interface Virtual-Template2 type tunnel

ip vrf forwarding branch

ip unnumbered GigabitEthernet0/0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile branchclient

Please advise if there is any VPN related configuration issue or a Zone based firewall issue.

Marcin Latosiewicz · ‎09-27-2013

you are mixing the config a bit + VT doesn't have zone-membership applied.

When using IKE profile with VT/Tunnel interfaces it's not necessary to point iVRF, the interface is doing that for you.

My suggestion is to enable logging for ZBF (it can be the global parameter-map) and check if you're actually processing those packets in ZBF.

Open up a TAC case, the folks there will help you with the detail.

mohankumarm · ‎09-28-2013

Hi Marcin,

Thank you very much for your response and actually, we did open a TAC and the problem was resolved using Crypto Map dynamic configurations for both Standard and IPSec aware VPN's. Some specific policies on ZBF were tweaked (for example echo-reply packet inspection was deleted(configured for Pass) and also some access-lists which had unwanted entries were cleaned up.

Thanks again for your help.

Best Regards,

Mohan