Solved

VRF Lite and EasyVPN

Posted on 2010-09-15
7
1,822 Views
Last Modified: 2012-05-10
I want to be able to tunnel to a 2800 router over IPSec VPN (i use EasyVPN) that has VRF instances on it. I've search the net and come across what looks to be the solution and although I manage to connect to the router with the VPN client I cant ping the loopback in the VRF created. The tunnel looks OK but it's like it isnt a member of the VRF I want to reach.


Here is the config:

!
version 12.4
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTH_EZVPN local
aaa authorization network default local
aaa authorization network AUTHOR_EZVPN local
!
aaa session-id common
!
!
ip cef
!
!
ip vrf VRF_EZVPN
 rd 1:100
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
 no dspfarm
!
!
username user password 0 cisco
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group GROUP_EZVPN
 key CISCO
 pool POOL_EZVPN
 acl ACL_EZVPN
crypto isakmp profile ISAKMP_PROFILE_EZVPN
   match identity group GROUP_EZVPN
   client authentication list AUTH_EZVPN
   isakmp authorization list AUTHOR_EZVPN
   client configuration address respond
   client configuration group GROUP_EZVPN
   virtual-template 1
!
!
crypto ipsec transform-set TS_3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
 set transform-set TS_3DES_SHA
 set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
!
!
!
interface Loopback0
 ip vrf forwarding VRF_EZVPN
 ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip vrf forwarding VRF_EZVPN
 no ip address
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool POOL_EZVPN 10.10.1.1 10.10.1.254
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended ACL_EZVPN
 permit ip host 0.0.0.0 any
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line 1/0 1/15
line vty 0 4
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:ast0n
  • 4
  • 3
7 Comments
 
LVL 1

Expert Comment

by:cdusio
ID: 33686186
do you have to specify route target import and export?
ip vrf VRF_EZVPN
 rd 1:100
route target import 1:100
route target export 1:100

try that.
0
 
LVL 1

Expert Comment

by:cdusio
ID: 33686194
also you can do a show ip route vrf (vrf name) to verfy the routes.
0
 

Author Comment

by:ast0n
ID: 33686326
Hi cdusio,

ive added the route-target but no luck reaching the loopback0, here is the routes with the EasyVPN tunnel up:

Router#sh ip route vrf VRF_EZVPN

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S       10.10.1.2/32 [1/0] via 0.0.0.0, Virtual-Access2
C       10.0.0.0/24 is directly connected, Loopback0
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Expert Comment

by:cdusio
ID: 33686364
where are you trying to ping from?
0
 

Author Comment

by:ast0n
ID: 33686398
I'm pinging from a laptop thats connected directly to the Fa0/0 and running the easyVPN.
I can reach Loopback0 when pinging from the router using: ping vrf VRF_EZVPN 10.0.0.1
0
 
LVL 1

Expert Comment

by:cdusio
ID: 33686479
ping the loopback source the ping from the virtual-access interface. Does that work?
0
 

Accepted Solution

by:
ast0n earned 0 total points
ID: 33701261
It's working, aparently on the configuration the tunnel didnt terminate at loopback0:

interface Virtual-Template1 type tunnel
 ip vrf forwarding VRF_EZVPN
 no ip address
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE_EZVPN

Here is missing the: ip unnumbered Loopback0
and remove the no ip address
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now