Solved

VRF Lite and EasyVPN

Posted on 2010-09-15
7
1,914 Views
Last Modified: 2012-05-10
I want to be able to tunnel to a 2800 router over IPSec VPN (i use EasyVPN) that has VRF instances on it. I've search the net and come across what looks to be the solution and although I manage to connect to the router with the VPN client I cant ping the loopback in the VRF created. The tunnel looks OK but it's like it isnt a member of the VRF I want to reach.


Here is the config:

!
version 12.4
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTH_EZVPN local
aaa authorization network default local
aaa authorization network AUTHOR_EZVPN local
!
aaa session-id common
!
!
ip cef
!
!
ip vrf VRF_EZVPN
 rd 1:100
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
 no dspfarm
!
!
username user password 0 cisco
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group GROUP_EZVPN
 key CISCO
 pool POOL_EZVPN
 acl ACL_EZVPN
crypto isakmp profile ISAKMP_PROFILE_EZVPN
   match identity group GROUP_EZVPN
   client authentication list AUTH_EZVPN
   isakmp authorization list AUTHOR_EZVPN
   client configuration address respond
   client configuration group GROUP_EZVPN
   virtual-template 1
!
!
crypto ipsec transform-set TS_3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
 set transform-set TS_3DES_SHA
 set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
!
!
!
interface Loopback0
 ip vrf forwarding VRF_EZVPN
 ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip vrf forwarding VRF_EZVPN
 no ip address
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool POOL_EZVPN 10.10.1.1 10.10.1.254
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended ACL_EZVPN
 permit ip host 0.0.0.0 any
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line 1/0 1/15
line vty 0 4
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:ast0n
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 1

Expert Comment

by:cdusio
ID: 33686186
do you have to specify route target import and export?
ip vrf VRF_EZVPN
 rd 1:100
route target import 1:100
route target export 1:100

try that.
0
 
LVL 1

Expert Comment

by:cdusio
ID: 33686194
also you can do a show ip route vrf (vrf name) to verfy the routes.
0
 

Author Comment

by:ast0n
ID: 33686326
Hi cdusio,

ive added the route-target but no luck reaching the loopback0, here is the routes with the EasyVPN tunnel up:

Router#sh ip route vrf VRF_EZVPN

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S       10.10.1.2/32 [1/0] via 0.0.0.0, Virtual-Access2
C       10.0.0.0/24 is directly connected, Loopback0
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:cdusio
ID: 33686364
where are you trying to ping from?
0
 

Author Comment

by:ast0n
ID: 33686398
I'm pinging from a laptop thats connected directly to the Fa0/0 and running the easyVPN.
I can reach Loopback0 when pinging from the router using: ping vrf VRF_EZVPN 10.0.0.1
0
 
LVL 1

Expert Comment

by:cdusio
ID: 33686479
ping the loopback source the ping from the virtual-access interface. Does that work?
0
 

Accepted Solution

by:
ast0n earned 0 total points
ID: 33701261
It's working, aparently on the configuration the tunnel didnt terminate at loopback0:

interface Virtual-Template1 type tunnel
 ip vrf forwarding VRF_EZVPN
 no ip address
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE_EZVPN

Here is missing the: ip unnumbered Loopback0
and remove the no ip address
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question