Badar,
If you haven't gotten the Video on Demand yet I highly recommend it for the VPN section especially (Actually I am pretty happy with all of it). I go thru this plus a lot of other advanced scenarios for different VPN technologies. By the end of the section my topology became a big mess ;). Just hope you never get a lab like my Example Topology. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Badar Farooq [mailto:[email protected]] Sent: Friday, April 16, 2010 9:42 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] VRF aware ipsec with VTI Ahaan So the PSK will also be without VRF? Because, we need isakmp profile to define keyring associated with a VRF. The point is, will we define the key as crypto isakmp key 0 SECRET address x.x.x.x in global config without using the isakmp profile? and only add the VRF related configuration on the tunnel itself ? Right after sending the email, i am testing this, so i will be back within 10 minutes Regards On Fri, Apr 16, 2010 at 4:37 PM, Tyson Scott <[email protected]> wrote: Badar, You don't even need to use ISAKMP profiles with this. On the VTI add "ip vrf forwarding <VRF_NAME>" Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Badar Farooq Sent: Friday, April 16, 2010 6:33 AM To: [email protected] Subject: [OSL | CCIE_Security] VRF aware ipsec with VTI I am trying to establish a VRF aware ipsec tunnel using VTI. I have tried a million permutations and nothing seems to work. For starters, when I associate the isakmp profile with the vrf and then attach it to ipsec profile, when i apply tunnel protection I get the message ISAKMP Profile attached to IPSec Profile 'ipsec-prof' has vrf configured. Please remove vrf from ISAKMP Profile and reapply tunnel protection. But this appears to be dependent on version. I have tried putting source of the tunnel in the same VRF, different/no VRF, tunnel VRF command, and everything else I can think of... Can somebody create and send a working config for this simple scenario R1 (f0/0)--------------(f0/0)R2 and we need to encrypt traffic between their loopbacks 1.1.1.1 and 2.2.2.2 using vrf aware ipsec and VTI Regards
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
