Hey Kingsley and Eugene, Essentially is just to understand better the technology. Sometimes when you just complete a task and dont fully understand how the technology works, when they change the task a little bit, and you dont have the foundations right, is like starting all over again.
But yes, mainly I understand that VRFs have their own routing table. In the configs I sent, keyring was not the problem, as Phase 1 was up and running with no issues, what I am confused is how the packets are going to be sent out to the IVRF. When I see the router which has the VRFs set, on the oustside, I can see the packets being decrypted, but I cannot see anything being encrypted. Not quite sure if the association made on the Isakmp profile IVRF vs FVRF are going to do the trick, but I am willing to test it out one more time. Thanks a lot for the inputs. Mike From: eug...@koiossystems.com To: kingsley.char...@gmail.com CC: mike_c...@hotmail.com; fawa...@gmail.com; ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware Date: Sat, 3 Mar 2012 07:21:06 +0000 So, my findings in Mike's config are correct then ? ;) From: Kingsley Charles <kingsley.char...@gmail.com> Date: Sat, 3 Mar 2012 12:30:03 +0530 To: Eugene Pefti <eug...@koiossystems.com> Cc: Mike Rojas <mike_c...@hotmail.com>, "fawa...@gmail.com" <fawa...@gmail.com>, <ccie_security@onlinestudylist.com> Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware You need to some good efforts to understand VPN with VRFs. Each VRF has it's own routing table and that's where we need to start working on. We have Internal VRF (IVRF) that connects internal network (LAN) and FVRF (Front VRF) that connects to the internet (public network). The following are the uses cases. Local VPN router has only IVRF and the external network is connected using global routing ----- IVRF Router ----------- Global Routing ---------------- Router Configure IVRF in the VRF command under ISAKMP profiles. And a route in VRF for the peer using "global" keyword. Local VPN router has IVRF and the external network is in FVRF. Here IVRF = FVRF ----- IVRF Router FVRF ---------------- Router Configure IVRF in the VRF command under ISAKMP profiles. And a route in VRF for the peer using "global" keyword. Configure FRVF with the crypto keyring and match identity under ISAKMP profile Local VPN router has IVRF and the external network is in FVRF. Here IVRF |= FVRF ----- IVRF Router FVRF ---------------- Router Configure IVRF in the VRF command under ISAKMP profiles. And a route in VRF for the peer using "global" keyword. Configure FRVF with the crypto keyring and match identity under ISAKMP profile Here you need tweak the routing table For this use the following method, that I have discussed in this link. https://learningnetwork.cisco.com/message/184180#184180 The ones that I have highlighted are key things that you should always remember while configuring VPN with VRF. First classify whether there is IVRF or FVRF or both of them and then configure it. With regards Kings On Sat, Mar 3, 2012 at 9:32 AM, Eugene Pefti <eug...@koiossystems.com> wrote: > I took one more careful look into your configs, Mike, and two things jumped > into my eyes. > > As Kingsley recently mentioned named keyrings don't always work good and I > confirmed it but there's was no consistency in this. One time the named > keyring worked the other didn't > If you look at the "crypto isakmp profile" section you'll see VRF outside > referenced twice. As far as I understand the first statement "vrf VRF_NAME" > should refer to the internal VRF and the second one (in the end of match > identity address) should specify the outside VRF name. So, I'd rewrite your > crypto isakmp profile as follows: > > crypto isakmp profile L2L vrf inside keyring outside match identity address > 136.1.0.4 255.255.255.255 outside > > Take a look at these two guides: > https://supportforums.cisco.com/docs/DOC-13524 > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec.html#wp1054317 > > Eugene > > From: Mike Rojas <mike_c...@hotmail.com> > Date: Fri, 2 Mar 2012 17:55:47 -0600 > To: <fawa...@gmail.com> > Cc: <ccie_security@onlinestudylist.com> > Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware > > Hey, > > I have an issue, where VPN is not that magic... Here are the two configs > From one side, it encrypts (without VRFs on it) the other side (With VRFs) > it unencrypt, but does not encrypt. > > I get the following log: > > *Mar 2 18:02:37.569: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an > IPSEC packet. > (ip) vrf/dest_addr= outside/136.1.100.1, src_addr= 150.4.4.1, prot= > 1 > > > Configs attached > > ________________________________ > From: fawa...@gmail.com > Date: Fri, 2 Mar 2012 18:16:11 -0500 > Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware > To: mike_c...@hotmail.com > CC: ccie_security@onlinestudylist.com > > http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-4t/sec-ipsec-virt-tunnl.html > > This link has a lot of good examples provided which kind of IpSec aware VRF > you are using. > > > FNK > > > On Fri, Mar 2, 2012 at 5:36 PM, Mike Rojas <mike_c...@hotmail.com> wrote: > > Does anybody has a good document that explains this topic? Maybe with a > topology and so on? The documents that I have found so far are either > complex and not related to VPN or the synatax is incomplete or incorrect. > > I have been banging my head over this topic and I can seem to find a way to > make it work. > > Mike > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit www.ipexpert.com > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
