Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1234
Views
0
Helpful
6
Replies

VRF based IPSec VPN

Go to solution
alexia_net
Level 1
Level 1

‎04-13-2021 10:59 AM

Hello,

I am trying to implement in my lab a vrf aware ipsec. 

There is something that I am missing in my configuration, but I cannot identify it. 

Attached the configuration I am trying to implement on both routers.

On the same routers I have managed to implement non-vrf based IPSec VPN, on different WAN IPs.

But I have some challanges with the VRF based VPN.

Any feedback, much appreciated.

Thank you!

Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
alexia_net
Level 1
Level 1

‎04-15-2021 01:40 AM

I have managed to make it work. However, I do not understand why I cannot send traffic from the LO interface. It worked after creating a VM and connecting it into the router, in to that specific VRF. I had to remove the LO interface and create a physical interface, forwarding the VRF traffic and used it at GW for the VM.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎04-13-2021 11:58 AM

Hi @alexia_net 

I would have thought the ISAKMP profile should be in the "global" vrf not "CustX".

0 Helpful

Go to solution
alexia_net
Level 1
Level 1
In response to Rob Ingram

‎04-13-2021 11:23 PM

Hello Rob,

You mean like this?

 

crypto isakmp profile prof-15
keyring key-15
match identity address 172.100.101.1 255.255.255.255
exit

 

Best regards!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎04-14-2021 12:39 AM

@alexia_net 

Yes, if no vrf defined it would be in global.

0 Helpful

Go to solution
alexia_net
Level 1
Level 1
In response to Rob Ingram

‎04-14-2021 12:43 AM

Hello,

It still does not work.

I still do not get answer from remote router with wan 172.100.101.1, towards local router with wan 172.100.101.2, using

 

ping vrf CustX 10.3.113.1

or 

ping 10.3.113.1 soruce lo3

 

10.3.113.1 is on the local router

 

The same when I try from local to remote, towards 10.3.114.1

 

Best regards!

0 Helpful

Go to solution
alexia_net
Level 1
Level 1

‎04-15-2021 01:40 AM

I have managed to make it work. However, I do not understand why I cannot send traffic from the LO interface. It worked after creating a VM and connecting it into the router, in to that specific VRF. I had to remove the LO interface and create a physical interface, forwarding the VRF traffic and used it at GW for the VM.

0 Helpful

Go to solution
alexia_net
Level 1
Level 1

‎04-15-2021 01:42 AM

I recommend this video

https://www.youtube.com/watch?v=04DWdHPk1J0 

0 Helpful
Customers Also Viewed These Support Documents