Hi All
I think I was been able to get my head around the VRF Aware IPSec
especially when using a FVRF and IVRF however I am still have an issue
getting to working which I think it related to routing.
I my example one router is not using VRF (R3) and the other (R4) is using
VRF1 and VRF2 as the FVRF and IVRF respectively.
The two routers can negotiation P1 and P2 fine however R4 will not send
packets into the tunnel. Packets from the R3 router reach R4 as I can see
then decryption counter increasing on R4 however the encryption counter
stays on 0 on R4 which I believe is due to routing not operating correctly
on it. I have enabled reverse-route injection on the crypto maps on both
sides which was required to have the tunnel initiate from R3's side but
still doesn't allow return encrypted traffic from the R4.
Below is my configuration on R4 which is using VRF
ip vrf vrf1
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf vrf2
rd 101:1
route-target export 101:1
route-target import 101:1
!
crypto keyring kring1 vrf vrf1
pre-shared-key address 150.1.3.3 key cisco
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
lifetime 600
!
crypto isakmp profile isaprof1
vrf vrf2
keyring kring1
self-identity address
match identity address 150.1.3.3 255.255.255.255 vrf1
!
crypto ipsec transform-set aes-sha esp-aes 256 esp-sha-hmac
!
crypto map cmap1 local-address Loopback0
crypto map cmap1 isakmp-profile isaprof1
crypto map cmap1 10 ipsec-isakmp
set peer 150.1.3.3
set transform-set aes-sha
set pfs group1
set isakmp-profile isaprof1
match address crypto1
reverse-route static
!
interface Loopback0
ip vrf forwarding vrf1
ip address 150.1.4.4 255.255.255.0
ip ospf network point-to-point
!
interface Loopback4
ip vrf forwarding vrf2
ip address 10.4.4.4 255.255.255.0
!
interface Serial0/0.1245 point-to-point
ip vrf forwarding vrf1
ip address 136.1.0.4 255.255.255.0
ip ospf network point-to-multipoint
snmp trap link-status
frame-relay interface-dlci 405
crypto map cmap1
!
interface Serial0/1
ip vrf forwarding vrf1
ip address 136.1.45.4 255.255.255.0
encapsulation ppp
ip ospf cost 9999
clock rate 64000
crypto map cmap1
!
ip access-list extended crypto1
permit ip 10.4.4.0 0.0.0.255 136.1.100.0 0.0.0.255
And here is the routing table from each VRF on R4
R4#sh ip route vrf vrf2
~~~
Gateway of last resort is not set
~~~
136.1.0.0/24 is subnetted, 1 subnets
S 136.1.100.0 [1/0] via 150.1.3.3
10.0.0.0/24 is subnetted, 1 subnets
C 10.4.4.0 is directly connected, Loopback4
R4#show ip route vrf vrf1 | i 150.1.3
O IA 150.1.3.3/32 [110/139] via 136.1.0.5, 01:53:52, Serial0/0.1245
R4#show ip route vrf vrf1 | i 136.1.100
O IA 136.1.100.0/24 [110/148] via 136.1.0.5, 01:54:08, Serial0/0.1245
Below is the status of the P1 and 2 SAs
R4#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
150.1.3.3 150.1.4.4 QM_IDLE 1006 0 ACTIVE isaprof1
R4#sh cry ipsec sa
interface: Serial0/0.1245
Crypto map tag: cmap1, local addr 150.1.4.4
protected vrf: vrf2
local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (136.1.100.0/255.255.255.0/0/0)
current_peer 150.1.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
~~~
Can anyone enlighten me as to what I am missing. I have seen examples for
this setup which use the global routing table as the FVRF and a VFR for the
IVRF which then define static routes in the VRF using thr global keyword
but I don't think this is of any use here as I am using two VRFs
Thanks
Ben
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
