• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2022
  • Last Modified:

VRF Lite and EasyVPN

I want to be able to tunnel to a 2800 router over IPSec VPN (i use EasyVPN) that has VRF instances on it. I've search the net and come across what looks to be the solution and although I manage to connect to the router with the VPN client I cant ping the loopback in the VRF created. The tunnel looks OK but it's like it isnt a member of the VRF I want to reach.


Here is the config:

!
version 12.4
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTH_EZVPN local
aaa authorization network default local
aaa authorization network AUTHOR_EZVPN local
!
aaa session-id common
!
!
ip cef
!
!
ip vrf VRF_EZVPN
 rd 1:100
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
 no dspfarm
!
!
username user password 0 cisco
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group GROUP_EZVPN
 key CISCO
 pool POOL_EZVPN
 acl ACL_EZVPN
crypto isakmp profile ISAKMP_PROFILE_EZVPN
   match identity group GROUP_EZVPN
   client authentication list AUTH_EZVPN
   isakmp authorization list AUTHOR_EZVPN
   client configuration address respond
   client configuration group GROUP_EZVPN
   virtual-template 1
!
!
crypto ipsec transform-set TS_3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
 set transform-set TS_3DES_SHA
 set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
!
!
!
interface Loopback0
 ip vrf forwarding VRF_EZVPN
 ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip vrf forwarding VRF_EZVPN
 no ip address
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool POOL_EZVPN 10.10.1.1 10.10.1.254
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended ACL_EZVPN
 permit ip host 0.0.0.0 any
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line 1/0 1/15
line vty 0 4
!
scheduler allocate 20000 1000
!
end
0
ast0n
Asked:
ast0n
  • 4
  • 3
1 Solution
 
cdusioCommented:
do you have to specify route target import and export?
ip vrf VRF_EZVPN
 rd 1:100
route target import 1:100
route target export 1:100

try that.
0
 
cdusioCommented:
also you can do a show ip route vrf (vrf name) to verfy the routes.
0
 
ast0nAuthor Commented:
Hi cdusio,

ive added the route-target but no luck reaching the loopback0, here is the routes with the EasyVPN tunnel up:

Router#sh ip route vrf VRF_EZVPN

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S       10.10.1.2/32 [1/0] via 0.0.0.0, Virtual-Access2
C       10.0.0.0/24 is directly connected, Loopback0
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
cdusioCommented:
where are you trying to ping from?
0
 
ast0nAuthor Commented:
I'm pinging from a laptop thats connected directly to the Fa0/0 and running the easyVPN.
I can reach Loopback0 when pinging from the router using: ping vrf VRF_EZVPN 10.0.0.1
0
 
cdusioCommented:
ping the loopback source the ping from the virtual-access interface. Does that work?
0
 
ast0nAuthor Commented:
It's working, aparently on the configuration the tunnel didnt terminate at loopback0:

interface Virtual-Template1 type tunnel
 ip vrf forwarding VRF_EZVPN
 no ip address
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE_EZVPN

Here is missing the: ip unnumbered Loopback0
and remove the no ip address
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now