Hi Adil, Everything is fine with this doc. The scenario is like this:
(lo0 VRF Inside) - R1 - (g0/0 VRF Outside) -------------- (VRF Outside g0/0) - R2 - (lo0 VRF Inside) First thing to notice is that FVRF (Frontdoor VRF) is there. The packet coming form the network is going directly to the VRF Outside - this is different than other scenarios. Most commonly there is no FVRF at all, so the packet hits the router via Global routing table. Now, to address that case, we need to tell the crypto engine where to look for those packets. You must configure KEYRING to be 'visible' inside VRF Outside and when you configure peer under the crypto map you must specify in what VRF the peer is. The reason it does not work for you is most probably routing issue. In the above scenario you must use route leaking between VRFs to route packets between loopback IP addresses and hit the crypto map in other VRF. For example on R1 you should have: ip route vrf outside 0.0.0.0 0.0.0.0 10.1.12.2 ip route vrf inside 2.2.2.2 255.255.255.255 g0/0 10.1.12.2 Regards, Piotr 2011/9/20 Adil Pasha <[email protected]> > > https://supportforums.cisco.com/docs/DOC-13524 > > The question is for any IPSec VRF-AWARE guru. > > Why did the writer of the above article applied "ip vrf forwarding > internet-vrf" on the interface with "crypto map"? > > I have not seen any example with this kind of configuration and my tunnel > is not coming up. > > interface GigabitEthernet0/0 > description internet WAN link > ip vrf forwarding internet-vrf > ip address 10.1.1.3 255.255.255.224 > crypto map mymap > ! > > > Cisco's document show the above interface without "ip vrf" command. Just > the crypto map applied to it. > > > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055196 > > > > > Best Regards. > ______________________ > Adil > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
