cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1145
Views
5
Helpful
2
Replies

VTI & Crypto maps on the same device.

I got a bit of a problem. I'm trying to get fvrf, VTI and legacy crypto maps to all play well together 

 

I have a simple lab set up, two 2911 connected together I cannot get the phase1 to standup much less test out if I can have crypto maps and VTI's working on the same outbound interface. 

 

R1 sh run:

 

RTGOTNAAR01-LAB#sh run
Building configuration...

Current configuration : 3034 bytes
!
! Last configuration change at 18:55:50 UTC Tue May 15 2018
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTGOTNAAR01-LAB
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip cef
!
!
!
ip vrf EXT
rd 1:1
!
ip vrf INT-BP-XX
rd 1:100
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1702AKGZ
license boot module c2900 technology-package securityk9
hw-module sm 1
!
!
!
!
redundancy
!
!
!
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
crypto keyring KEY-BP-XX-VPN1 vrf EXT
pre-shared-key address 15.155.2.10 key !@!@!@!@
!
crypto isakmp policy 100
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 28800
crypto isakmp profile ISA-PROF-BP-XX-VPN1
vrf INT-BP-XX
keyring KEY-BP-XX-VPN1
match identity address 15.155.2.10 255.255.255.252 EXT
!
!
crypto ipsec transform-set TSET-BP-XX esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
!
crypto map CMC-BP 12 ipsec-isakmp
description ***Pol_based 12 USCloud***
set peer 15.155.2.10
set transform-set TSET-BP-XX
set isakmp-profile ISA-PROF-BP-XX-VPN1
match address BPXX
!
!
!
!
!
interface Loopback101
ip vrf forwarding INT-BP-XX
ip address 10.60.100.2 255.255.255.0
!
interface Tunnel10
description ***IPSEC VPN TO BPXX***
ip vrf forwarding INT-BP-XX
no ip address
tunnel source GigabitEthernet0/0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip vrf forwarding EXT
ip address 15.155.2.9 255.255.255.252
duplex auto
speed auto
crypto map CMC-BP
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.10
description ***IPSEC-Workaround***
encapsulation dot1Q 1710
ip vrf forwarding INT-BP-XX
ip mtu 1400
ip nbar protocol-discovery
ip virtual-reassembly in
!
interface Integrated-Service-Engine1/0
no ip address
shutdown
!Application: CUE Running on NME
no keepalive
!
!
router eigrp 10
network 15.155.2.0 0.0.0.255
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route vrf EXT 0.0.0.0 0.0.0.0 15.155.2.10
!
ip access-list extended BPXX
permit ip 10.60.100.0 0.0.0.255 10.116.0.0 0.0.255.255
permit ip 10.116.0.0 0.0.255.255 10.60.100.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

RTGOTNAAR01-LAB#

 

 

R2 sh run 

 

beta001#sh run
Building configuration...


Current configuration : 2676 bytes
!
! Last configuration change at 18:32:27 UTC Tue May 15 2018
! NVRAM config last updated at 18:31:03 UTC Tue May 15 2018
! NVRAM config last updated at 18:31:03 UTC Tue May 15 2018
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname beta001
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip vrf EXT
rd 1:1
!
ip vrf INT-BP-XX
rd 1:100
!
!
!
ip cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1432A1L0
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
!
!
redundancy
!
!
!
!
!
!
crypto keyring KEY-BP-XX-VPN1 vrf EXT
pre-shared-key address 15.155.2.9 key !@!@!@!@
!
crypto isakmp policy 100
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 28800
crypto isakmp profile ISA-PROF-BP-XX-VPN1
vrf INT-BP-XX
keyring KEY-BP-XX-VPN1
match identity address 15.155.2.9 255.255.255.255 EXT
!
!
crypto ipsec transform-set TSET-BP-XX esp-aes 256 esp-sha256-hmac
!
!
!
crypto map CMC-BP 12 ipsec-isakmp
description ***Pol_based 12 USCloud***
set peer 15.155.2.9
set transform-set TSET-BP-XX
set isakmp-profile ISA-PROF-BP-XX-VPN1
match address BPXX
!
!
!
!
!
interface Loopback1
ip vrf forwarding INT-BP-XX
ip address 10.116.0.1 255.255.0.0
!
interface Loopback200
ip address 172.16.0.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip vrf forwarding EXT
ip address 15.155.2.10 255.255.255.252
duplex auto
speed auto
crypto map CMC-BP
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route vrf EXT 0.0.0.0 0.0.0.0 15.155.2.9
!
ip access-list extended BPXX
permit ip 10.116.0.0 0.0.255.255 10.60.100.0 0.0.0.255
permit ip 10.60.100.0 0.0.0.255 10.116.0.0 0.0.255.255
!
access-list 50 permit 0.0.0.0 255.255.0.0
!
!
!
control-plane
!
!
!
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

beta001#

2 Replies 2

Hi,

I labbed this out of curiosity, it drove me crazy for a while....but I found out you need to add the command below to each of the crypto maps on both routers (obviously change the remote peer ip address).

 

crypto map CMC-BP 12 ipsec-isakmp
 reverse-route remote-peer 15.155.2.9 static

 

When you add this RRI command it will inject the VPN route into the correct VRF.

 

R2#show ip cef  vrf INT-BP-XX
Prefix               Next Hop             Interface
0.0.0.0/0            no route
0.0.0.0/8            drop
0.0.0.0/32           receive
10.60.100.0/24       15.155.2.9           GigabitEthernet0/0

 

R2#ping vrf INT-BP-XX 10.60.100.2 so lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.60.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.116.0.1
!!!!!

 

HTH

I tried adding the command and now it shows up in the routing table but when I issue the 

   sh ip cef vrf INT-BP-XX, it just comes back as an unresolved route, on [beta001] it has worked properly on RTGOTNAAR01

 

beta001(config-crypto-map)#do sh cry map
Crypto Map IPv4 "CMC-BP" 12 ipsec-isakmp
Description: ***Pol_based 12 USCloud***
Peer = 15.155.2.9
ISAKMP Profile: ISA-PROF-BP-XX-VPN1
Extended IP access list BPXX
access-list BPXX permit ip 10.116.0.0 0.0.255.255 10.60.100.0 0.0.0.255
access-list BPXX permit ip 10.60.100.0 0.0.0.255 10.116.0.0 0.0.255.255
Current peer: 15.155.2.9
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TSET-BP-XX: { esp-256-aes esp-sha256-hmac } ,
}
Reverse Route Injection Enabled
Interfaces using crypto map CMC-BP:
GigabitEthernet0/0

 

beta001(config-crypto-map)#do sh ip cef vrf INT-BP-XX
Prefix Next Hop Interface
0.0.0.0/0 no route
0.0.0.0/8 drop
0.0.0.0/32 receive
10.60.100.0/24 unresolved
10.116.0.0/16 attached Loopback1
10.116.0.0/32 receive Loopback1
10.116.0.1/32 receive Loopback1
10.116.255.255/32 receive Loopback1
15.155.2.9/32 no route
127.0.0.0/8 drop
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive

 

VS

 

RTGOTNAAR01-LAB#sh cry map
Crypto Map IPv4 "CMC-BP" 12 ipsec-isakmp
Description: ***Pol_based 12 USCloud***
Peer = 15.155.2.10
ISAKMP Profile: ISA-PROF-BP-XX-VPN1
Extended IP access list BPXX
access-list BPXX permit ip 10.60.100.0 0.0.0.255 10.116.0.0 0.0.255.255
access-list BPXX permit ip 10.116.0.0 0.0.255.255 10.60.100.0 0.0.0.255
Current peer: 15.155.2.10
ISAKMP profile ISA-PROF-BP-XX-VPN1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TSET-BP-XX: { esp-256-aes esp-sha256-hmac } ,
}
Reverse Route Injection Enabled
Interfaces using crypto map CMC-BP:
GigabitEthernet0/0

 

RTGOTNAAR01-LAB#sh ip cef vrf INT-BP-XX
Prefix Next Hop Interface
0.0.0.0/0 no route
0.0.0.0/8 drop
0.0.0.0/32 receive
10.60.100.0/24 attached Loopback101
10.60.100.0/32 receive Loopback101
10.60.100.2/32 receive Loopback101
10.60.100.255/32 receive Loopback101
10.116.0.0/32 15.155.2.9 GigabitEthernet0/0
127.0.0.0/8 drop
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive