That is not going to work for you. There is a workaround that has been mentioned in my discussion on CLN. It's because you can't add a route which points to a next hop in another VRF. You can only point to global routing. That's a limitation.
https://learningnetwork.cisco.com/thread/35218 Else use SVTIs which is the one that should be used. With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Mon, Aug 27, 2012 at 5:48 PM, Ben Shaw <[email protected]> wrote: > Hi All > > I think I was been able to get my head around the VRF Aware IPSec > especially when using a FVRF and IVRF however I am still have an issue > getting to working which I think it related to routing. > > I my example one router is not using VRF (R3) and the other (R4) is using > VRF1 and VRF2 as the FVRF and IVRF respectively. > > The two routers can negotiation P1 and P2 fine however R4 will not send > packets into the tunnel. Packets from the R3 router reach R4 as I can see > then decryption counter increasing on R4 however the encryption counter > stays on 0 on R4 which I believe is due to routing not operating correctly > on it. I have enabled reverse-route injection on the crypto maps on both > sides which was required to have the tunnel initiate from R3's side but > still doesn't allow return encrypted traffic from the R4. > > Below is my configuration on R4 which is using VRF > > ip vrf vrf1 > rd 100:1 > route-target export 100:1 > route-target import 100:1 > ! > ip vrf vrf2 > rd 101:1 > route-target export 101:1 > route-target import 101:1 > ! > crypto keyring kring1 vrf vrf1 > pre-shared-key address 150.1.3.3 key cisco > ! > crypto isakmp policy 10 > encr aes 256 > authentication pre-share > lifetime 600 > ! > crypto isakmp profile isaprof1 > vrf vrf2 > keyring kring1 > self-identity address > match identity address 150.1.3.3 255.255.255.255 vrf1 > ! > crypto ipsec transform-set aes-sha esp-aes 256 esp-sha-hmac > ! > crypto map cmap1 local-address Loopback0 > crypto map cmap1 isakmp-profile isaprof1 > crypto map cmap1 10 ipsec-isakmp > set peer 150.1.3.3 > set transform-set aes-sha > set pfs group1 > set isakmp-profile isaprof1 > match address crypto1 > reverse-route static > ! > interface Loopback0 > ip vrf forwarding vrf1 > ip address 150.1.4.4 255.255.255.0 > ip ospf network point-to-point > ! > interface Loopback4 > ip vrf forwarding vrf2 > ip address 10.4.4.4 255.255.255.0 > ! > interface Serial0/0.1245 point-to-point > ip vrf forwarding vrf1 > ip address 136.1.0.4 255.255.255.0 > ip ospf network point-to-multipoint > snmp trap link-status > frame-relay interface-dlci 405 > crypto map cmap1 > ! > interface Serial0/1 > ip vrf forwarding vrf1 > ip address 136.1.45.4 255.255.255.0 > encapsulation ppp > ip ospf cost 9999 > clock rate 64000 > crypto map cmap1 > ! > ip access-list extended crypto1 > permit ip 10.4.4.0 0.0.0.255 136.1.100.0 0.0.0.255 > > > And here is the routing table from each VRF on R4 > > > R4#sh ip route vrf vrf2 > ~~~ > Gateway of last resort is not set > ~~~ > 136.1.0.0/24 is subnetted, 1 subnets > S 136.1.100.0 [1/0] via 150.1.3.3 > 10.0.0.0/24 is subnetted, 1 subnets > C 10.4.4.0 is directly connected, Loopback4 > > R4#show ip route vrf vrf1 | i 150.1.3 > O IA 150.1.3.3/32 [110/139] via 136.1.0.5, 01:53:52, Serial0/0.1245 > R4#show ip route vrf vrf1 | i 136.1.100 > O IA 136.1.100.0/24 [110/148] via 136.1.0.5, 01:54:08, Serial0/0.1245 > > Below is the status of the P1 and 2 SAs > > R4#sh cry is sa > IPv4 Crypto ISAKMP SA > dst src state conn-id slot status > 150.1.3.3 150.1.4.4 QM_IDLE 1006 0 ACTIVE isaprof1 > > R4#sh cry ipsec sa > > interface: Serial0/0.1245 > Crypto map tag: cmap1, local addr 150.1.4.4 > > protected vrf: vrf2 > local ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0) > remote ident (addr/mask/prot/port): (136.1.100.0/255.255.255.0/0/0) > current_peer 150.1.3.3 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 > #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 > ~~~ > > > Can anyone enlighten me as to what I am missing. I have seen examples for > this setup which use the global routing table as the FVRF and a VFR for the > IVRF which then define static routes in the VRF using thr global keyword > but I don't think this is of any use here as I am using two VRFs > > Thanks > Ben > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
