cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
589
Views
0
Helpful
3
Replies

VTI tunnel terminated in VRF not sending FQDN_ID

Hi

I'm configuring a VTI tunnel from a Cisco 881W to a Juniper SSG550. The tunnel will be terminate from a vrf named factorywl. To make the whole thing more exiting the Cisco will also be using DHCP to receive an IP address. Since the Cisco uses a DHCP address I need to use the fqdn name as an ID for the router when terminating to the SSG550. When debugging on the SSG550 it only receives the IP as ID and not the fqdn. Could someone look at the config to see what I'm doing wrong?

ip vrf factorywl
!
!
crypto keyring vpn-key vrf factorywl
pre-shared-key address 192.168.201.241 key 4rfvcde32wsxzaq1
!
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 14
lifetime 3600
crypto isakmp profile VPN
vrf factorywl
keyring vpn-key
self-identity fqdn no-fb5-60-01.test.com
match identity address 192.168.201.241 255.255.255.255 factorywl
exit
!
!
crypto ipsec transform-set cisco-set esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile
set transform-set cisco-set
set pfs group14
!
!
interface Tunnel1
ip vrf forwarding red
ip address 10.0.111.66 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.201.241
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile
!
interface Vlan105
description vlan for wireless to facotries
ip vrf forwarding factorywl
ip address dhcp
!
interface FastEthernet3
switchport access vlan 105
no ip address
!
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

I don't rate your chances very high of getting this working with IKEv1.  I think you'll need to use IKEv2.  I would use IOS 15.4(3)M4.

I don't know how good the Juniper support is for IKEv2.

Frank DeNofa
Cisco Employee
Cisco Employee

Nils,

Please try referencing your ISAKMP profile in the IPsec profile. This will force the router to use the "VPN" ISAKMP profile whenever we are attempting to negotiate using the "ipsec-profile":

crypto ipsec profile ipsec-profile
set isakmp-profile VPN

While I can't comment as to how the Juniper side is going to handle things, this will ensure that we will send "no-fb5-60-01.test.com" as our identity.

HTH,

Frank

Hi

I got it to work. I was able to do it before the vacation but I'm a little late publishing it here. The command that did the trick was "set aggressive-mode client-endpoint fqdn boat.example.com". I have written a bit more about the configuration I did in this blog post: https://networksandrants.wordpress.com/2016/08/08/configuring-a-vpn-tunnel-from-a-vrf/

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
lifetime 3600
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile boat-vpn
set transform-set aes256-sha
set pfs group14

ip vrf factorywireless
crypto isakmp peer address 192.168.2.1 vrf factorywireless
set aggressive-mode password supersecret
set aggressive-mode client-endpoint fqdn boat.example.com

interface Tunnel105
description Tunnel over Wireless at factories
ip address 10.0.1.2 255.255.255.252
tunnel source Vlan110
tunnel mode ipsec ipv4
tunnel vrf factorywireless
tunnel destination 192.168.2.1
tunnel protection ipsec profile boat-vpn

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: