?
Solved

VRF Lite and EasyVPN

Posted on 2010-09-15
7
Medium Priority
?
1,946 Views
Last Modified: 2012-05-10
I want to be able to tunnel to a 2800 router over IPSec VPN (i use EasyVPN) that has VRF instances on it. I've search the net and come across what looks to be the solution and although I manage to connect to the router with the VPN client I cant ping the loopback in the VRF created. The tunnel looks OK but it's like it isnt a member of the VRF I want to reach.


Here is the config:

!
version 12.4
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTH_EZVPN local
aaa authorization network default local
aaa authorization network AUTHOR_EZVPN local
!
aaa session-id common
!
!
ip cef
!
!
ip vrf VRF_EZVPN
 rd 1:100
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
 no dspfarm
!
!
username user password 0 cisco
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group GROUP_EZVPN
 key CISCO
 pool POOL_EZVPN
 acl ACL_EZVPN
crypto isakmp profile ISAKMP_PROFILE_EZVPN
   match identity group GROUP_EZVPN
   client authentication list AUTH_EZVPN
   isakmp authorization list AUTHOR_EZVPN
   client configuration address respond
   client configuration group GROUP_EZVPN
   virtual-template 1
!
!
crypto ipsec transform-set TS_3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
 set transform-set TS_3DES_SHA
 set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
!
!
!
interface Loopback0
 ip vrf forwarding VRF_EZVPN
 ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip vrf forwarding VRF_EZVPN
 no ip address
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool POOL_EZVPN 10.10.1.1 10.10.1.254
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended ACL_EZVPN
 permit ip host 0.0.0.0 any
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line 1/0 1/15
line vty 0 4
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:ast0n
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 1

Expert Comment

by:cdusio
ID: 33686186
do you have to specify route target import and export?
ip vrf VRF_EZVPN
 rd 1:100
route target import 1:100
route target export 1:100

try that.
0
 
LVL 1

Expert Comment

by:cdusio
ID: 33686194
also you can do a show ip route vrf (vrf name) to verfy the routes.
0
 

Author Comment

by:ast0n
ID: 33686326
Hi cdusio,

ive added the route-target but no luck reaching the loopback0, here is the routes with the EasyVPN tunnel up:

Router#sh ip route vrf VRF_EZVPN

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S       10.10.1.2/32 [1/0] via 0.0.0.0, Virtual-Access2
C       10.0.0.0/24 is directly connected, Loopback0
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Expert Comment

by:cdusio
ID: 33686364
where are you trying to ping from?
0
 

Author Comment

by:ast0n
ID: 33686398
I'm pinging from a laptop thats connected directly to the Fa0/0 and running the easyVPN.
I can reach Loopback0 when pinging from the router using: ping vrf VRF_EZVPN 10.0.0.1
0
 
LVL 1

Expert Comment

by:cdusio
ID: 33686479
ping the loopback source the ping from the virtual-access interface. Does that work?
0
 

Accepted Solution

by:
ast0n earned 0 total points
ID: 33701261
It's working, aparently on the configuration the tunnel didnt terminate at loopback0:

interface Virtual-Template1 type tunnel
 ip vrf forwarding VRF_EZVPN
 no ip address
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE_EZVPN

Here is missing the: ip unnumbered Loopback0
and remove the no ip address
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question