Thank you so much Piotr for this detailed explanation. In my configuration I do not have "ip route vrf inside 2.2.2.2 255.255.255.255 g0/0 10.1.12.2" instead I have "reverse-route" under crypto map. Is this an error?
Perhaps that is why my scenario is not working. Best Regards. ______________________ Adil On Sep 20, 2011, at 3:15 AM, Piotr Matusiak wrote: > Hi Adil, > > Everything is fine with this doc. The scenario is like this: > > (lo0 VRF Inside) - R1 - (g0/0 VRF Outside) -------------- (VRF Outside g0/0) > - R2 - (lo0 VRF Inside) > > First thing to notice is that FVRF (Frontdoor VRF) is there. The packet > coming form the network is going directly to the VRF Outside - this is > different than other scenarios. Most commonly there is no FVRF at all, so the > packet hits the router via Global routing table. > > Now, to address that case, we need to tell the crypto engine where to look > for those packets. You must configure KEYRING to be 'visible' inside VRF > Outside and when you configure peer under the crypto map you must specify in > what VRF the peer is. > > > The reason it does not work for you is most probably routing issue. In the > above scenario you must use route leaking between VRFs to route packets > between loopback IP addresses and hit the crypto map in other VRF. > > For example on R1 you should have: > ip route vrf outside 0.0.0.0 0.0.0.0 10.1.12.2 > ip route vrf inside 2.2.2.2 255.255.255.255 g0/0 10.1.12.2 > > Regards, > Piotr > > > > > 2011/9/20 Adil Pasha <[email protected]> > > https://supportforums.cisco.com/docs/DOC-13524 > > The question is for any IPSec VRF-AWARE guru. > > Why did the writer of the above article applied "ip vrf forwarding > internet-vrf" on the interface with "crypto map"? > > I have not seen any example with this kind of configuration and my tunnel is > not coming up. > > interface GigabitEthernet0/0 > description internet WAN link > ip vrf forwarding internet-vrf > ip address 10.1.1.3 255.255.255.224 > > crypto map mymap > ! > > Cisco's document show the above interface without "ip vrf" command. Just the > crypto map applied to it. > > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055196 > > > > > Best Regards. > ______________________ > Adil > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
