You can use the keyring as well. I just said that you don't have to. Just don't specify the VRF in the profile. With this example doing it under the interface is the way to go.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Badar Farooq Sent: Friday, April 16, 2010 1:54 PM To: Kingsley Charles Cc: [email protected] Subject: Re: [OSL | CCIE_Security] VRF aware ipsec with VTI guys I got it to work But I had to define a key in global config and go without keyring when using VTI. I am still investigating more and will let you all know if i find something interesting Regards On Fri, Apr 16, 2010 at 8:33 PM, Kingsley Charles <[email protected]> wrote: Some things that I have noted in this and other VPN vrfs docs are: If the VPN interface is a VRF interface, then isakmp key should be vrf key meaning, there should be keyring associated to the ISAKMP profile attached to the crypto map. If the VPN interface is not VRF interface, then the route configured remote proxies should have the global keyword. With regards Kings On Fri, Apr 16, 2010 at 9:53 PM, Brandon Carroll <[email protected]> wrote: I'm assuming you're using this document: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122 t/122t15/ft_vrfip.htm It shows the VRF applied to the interface as well as some examples with isakmp profiles. Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> On Apr 16, 2010, at 3:33 AM, Badar Farooq wrote: I am trying to establish a VRF aware ipsec tunnel using VTI. I have tried a million permutations and nothing seems to work. For starters, when I associate the isakmp profile with the vrf and then attach it to ipsec profile, when i apply tunnel protection I get the message ISAKMP Profile attached to IPSec Profile 'ipsec-prof' has vrf configured. Please remove vrf from ISAKMP Profile and reapply tunnel protection. But this appears to be dependent on version. I have tried putting source of the tunnel in the same VRF, different/no VRF, tunnel VRF command, and everything else I can think of... Can somebody create and send a working config for this simple scenario R1 (f0/0)--------------(f0/0)R2 and we need to encrypt traffic between their loopbacks 1.1.1.1 and 2.2.2.2 using vrf aware ipsec and VTI Regards _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
