Solved

VRF Lite and EasyVPN

Posted on 2010-09-15
7
1,858 Views
Last Modified: 2012-05-10
I want to be able to tunnel to a 2800 router over IPSec VPN (i use EasyVPN) that has VRF instances on it. I've search the net and come across what looks to be the solution and although I manage to connect to the router with the VPN client I cant ping the loopback in the VRF created. The tunnel looks OK but it's like it isnt a member of the VRF I want to reach.


Here is the config:

!
version 12.4
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTH_EZVPN local
aaa authorization network default local
aaa authorization network AUTHOR_EZVPN local
!
aaa session-id common
!
!
ip cef
!
!
ip vrf VRF_EZVPN
 rd 1:100
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
 no dspfarm
!
!
username user password 0 cisco
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group GROUP_EZVPN
 key CISCO
 pool POOL_EZVPN
 acl ACL_EZVPN
crypto isakmp profile ISAKMP_PROFILE_EZVPN
   match identity group GROUP_EZVPN
   client authentication list AUTH_EZVPN
   isakmp authorization list AUTHOR_EZVPN
   client configuration address respond
   client configuration group GROUP_EZVPN
   virtual-template 1
!
!
crypto ipsec transform-set TS_3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
 set transform-set TS_3DES_SHA
 set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
!
!
!
interface Loopback0
 ip vrf forwarding VRF_EZVPN
 ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip vrf forwarding VRF_EZVPN
 no ip address
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool POOL_EZVPN 10.10.1.1 10.10.1.254
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended ACL_EZVPN
 permit ip host 0.0.0.0 any
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line 1/0 1/15
line vty 0 4
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:ast0n
  • 4
  • 3
7 Comments
 
LVL 1

Expert Comment

by:cdusio
ID: 33686186
do you have to specify route target import and export?
ip vrf VRF_EZVPN
 rd 1:100
route target import 1:100
route target export 1:100

try that.
0
 
LVL 1

Expert Comment

by:cdusio
ID: 33686194
also you can do a show ip route vrf (vrf name) to verfy the routes.
0
 

Author Comment

by:ast0n
ID: 33686326
Hi cdusio,

ive added the route-target but no luck reaching the loopback0, here is the routes with the EasyVPN tunnel up:

Router#sh ip route vrf VRF_EZVPN

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S       10.10.1.2/32 [1/0] via 0.0.0.0, Virtual-Access2
C       10.0.0.0/24 is directly connected, Loopback0
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Expert Comment

by:cdusio
ID: 33686364
where are you trying to ping from?
0
 

Author Comment

by:ast0n
ID: 33686398
I'm pinging from a laptop thats connected directly to the Fa0/0 and running the easyVPN.
I can reach Loopback0 when pinging from the router using: ping vrf VRF_EZVPN 10.0.0.1
0
 
LVL 1

Expert Comment

by:cdusio
ID: 33686479
ping the loopback source the ping from the virtual-access interface. Does that work?
0
 

Accepted Solution

by:
ast0n earned 0 total points
ID: 33701261
It's working, aparently on the configuration the tunnel didnt terminate at loopback0:

interface Virtual-Template1 type tunnel
 ip vrf forwarding VRF_EZVPN
 no ip address
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE_EZVPN

Here is missing the: ip unnumbered Loopback0
and remove the no ip address
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question