RRI is valid when the tunnel is UP. The packet will not trigger the crypto unless it's first routed correctly.
Regards, Piotr 2011/9/20 Adil Pasha <[email protected]> > Thank you so much Piotr for this detailed explanation. > > In my configuration I do not have "ip route vrf inside 2.2.2.2 > 255.255.255.255 g0/0 10.1.12.2" instead I have "reverse-route" under crypto > map. Is this an error? > > Perhaps that is why my scenario is not working. > > > Best Regards. > ______________________ > Adil > > On Sep 20, 2011, at 3:15 AM, Piotr Matusiak wrote: > > Hi Adil, > > Everything is fine with this doc. The scenario is like this: > > (lo0 VRF Inside) - R1 - (g0/0 VRF Outside) -------------- (VRF Outside > g0/0) - R2 - (lo0 VRF Inside) > > First thing to notice is that FVRF (Frontdoor VRF) is there. The packet > coming form the network is going directly to the VRF Outside - this is > different than other scenarios. Most commonly there is no FVRF at all, so > the packet hits the router via Global routing table. > > Now, to address that case, we need to tell the crypto engine where to look > for those packets. You must configure KEYRING to be 'visible' inside VRF > Outside and when you configure peer under the crypto map you must specify in > what VRF the peer is. > > > The reason it does not work for you is most probably routing issue. In the > above scenario you must use route leaking between VRFs to route packets > between loopback IP addresses and hit the crypto map in other VRF. > > For example on R1 you should have: > ip route vrf outside 0.0.0.0 0.0.0.0 10.1.12.2 > ip route vrf inside 2.2.2.2 255.255.255.255 g0/0 10.1.12.2 > > Regards, > Piotr > > > > > 2011/9/20 Adil Pasha <[email protected]> > >> >> https://supportforums.cisco.com/docs/DOC-13524 >> >> The question is for any IPSec VRF-AWARE guru. >> >> Why did the writer of the above article applied "ip vrf forwarding >> internet-vrf" on the interface with "crypto map"? >> >> I have not seen any example with this kind of configuration and my tunnel >> is not coming up. >> >> interface GigabitEthernet0/0 >> description internet WAN link >> ip vrf forwarding internet-vrf >> ip address 10.1.1.3 255.255.255.224 >> >> crypto map mymap >> ! >> >> >> Cisco's document show the above interface without "ip vrf" command. Just >> the crypto map applied to it. >> >> >> http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055196 >> >> >> >> >> Best Regards. >> ______________________ >> Adil >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
