Guys I experimented a bit and here is a summary of my findings 1) If the source of the tunnel interface is not in a VRF, we need to use the psk in global config. we use ip vrf forwarding command to put the tunnel in the vrf itself.
2) If the source of the tunnel is in the same VRF as the tunnel itself, we need to use tunnel vrf xxx command on the tunnel interface. We also need the keyrings and isakmp profiles associated with the given VRF. 3) If the source of the tunnel is in different VRF, say XYZ and tunnel itself is in VRF ABC. We need to configure Keyrings and isakmp profile using VRF XYZ. Also on the tunnel we need ip vrf forwading ABC and tunnel vrf XYZ commands Any comments and suggestions are welcome of course Regards On Fri, Apr 16, 2010 at 9:49 PM, Tyson Scott <[email protected]> wrote: > You can use the keyring as well. I just said that you don't have to. > Just don't specify the VRF in the profile. With this example doing it under > the interface is the way to go. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Badar Farooq > *Sent:* Friday, April 16, 2010 1:54 PM > *To:* Kingsley Charles > > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] VRF aware ipsec with VTI > > > > guys I got it to work > > But I had to define a key in global config and go without keyring when > using VTI. > > I am still investigating more and will let you all know if i find something > interesting > > Regards > > On Fri, Apr 16, 2010 at 8:33 PM, Kingsley Charles < > [email protected]> wrote: > > Some things that I have noted in this and other VPN vrfs docs are: > > > > If the VPN interface is a VRF interface, then isakmp key should be vrf key > meaning, there should be keyring associated to the ISAKMP profile attached > to the crypto map. > > > > If the VPN interface is not VRF interface, then the route configured remote > proxies should have the global keyword. > > > > > > > > > > With regards > > Kings > > On Fri, Apr 16, 2010 at 9:53 PM, Brandon Carroll <[email protected]> > wrote: > > I'm assuming you're using this document: > > > > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm > > > > It shows the VRF applied to the interface as well as some examples with > isakmp profiles. > > > > > > Regards, > > > > Brandon Carroll - CCIE #23837 > > Senior Technical Instructor - IPexpert > > Mailto: [email protected] > > Telephone: +1.810.326.1444 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > > > > > On Apr 16, 2010, at 3:33 AM, Badar Farooq wrote: > > > > I am trying to establish a VRF aware ipsec tunnel using VTI. > I have tried a million permutations and nothing seems to work. For > starters, when I associate the isakmp profile with the vrf and then attach > it to ipsec profile, when i apply tunnel protection I get the message > > > ISAKMP Profile attached to IPSec Profile 'ipsec-prof' has vrf configured. > Please remove vrf from ISAKMP Profile and reapply tunnel protection. > > But this appears to be dependent on version. > > I have tried putting source of the tunnel in the same VRF, different/no > VRF, tunnel VRF command, and everything else I can think of... > > Can somebody create and send a working config for this simple scenario > > R1 (f0/0)--------------(f0/0)R2 and we need to encrypt traffic between > their loopbacks 1.1.1.1 and 2.2.2.2 using vrf aware ipsec and VTI > > > Regards > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
