01-17-2014 04:07 PM
Hi,
I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:
FVRF=VRF1 and IVRF=global, no VRF
there are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't receive echo reply
Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.0.1 10.0.0.2 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
r1#sh cry
r1#sh crypto ip
r1#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: MAPA, local addr 10.0.0.1
protected vrf: FVRF
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xCF660D5A(3479571802)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x66992BE3(1721314275)
r1#
I added static routes on r1 and r2 but apparently I missed something else:
r1:
ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2
r2:
ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1
Any suggestions?
Hubert
01-19-2014 05:15 AM
Do you have a route back from the vrf to the global? This would be a static including the vrf.
01-19-2014 11:13 AM
Hi,
yes, I have the static route:
r1#sh run | i route
ip source-route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.0.2
r1#sh ip ro
r1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.0.0.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.0.0.2, GigabitEthernet0/0
11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 11.11.11.0/24 is directly connected, Loopback1
L 11.11.11.11/32 is directly connected, Loopback1
r1#sh ip route vr
r1#sh ip route vrf FVRF
Routing Table: FVRF
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, GigabitEthernet0/0
L 10.0.0.1/32 is directly connected, GigabitEthernet0/0
r1#
The problem is I can't specify 'global' vrf in the route statement. When I tested a bit different case scenario everything worked fine:
a) Loop1 (vrf=IVRF) -- gig0/0 (global vrf) <-> gig0/0 (global vrf) -- Loop1 (vrf=IVRF)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I just added:
ip route vrf IVRF 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2 global
b) With 2 VRFs:
Loop1 (vrf=IVRF) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (vrf=IVRF)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I added:
ip route vrf FVRF 0.0.0.0 0.0.0.0 10.0.0.1
ip route vrf IVRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.0.0.1
So, the problem I have, is only when Loopback interfaces are in global VRF and physical interfaces vrf=FVRF:
Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I wonder if Cisco supports such scenario.
01-19-2014 04:44 PM
I found a way to accomplish it – the solution is ipsec profile
r1#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel1
Profile: ISAKMP-PRF
Uptime: 00:04:16
Session status: UP-ACTIVE
Peer: 10.0.0.2 port 500 fvrf: FVRF ivrf: (none)
Phase1_id: 10.0.0.2
Desc: (none)
IKE SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active
Capabilities:(none) connid:1006 lifetime:23:55:43
IPSEC FLOW: permit 47 host 10.0.0.1 host 10.0.0.2
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 10 drop 0 life (KB/Sec) 4469482/3343
Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4469482/3343
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide