ast0n
asked on
VRF Lite and EasyVPN
I want to be able to tunnel to a 2800 router over IPSec VPN (i use EasyVPN) that has VRF instances on it. I've search the net and come across what looks to be the solution and although I manage to connect to the router with the VPN client I cant ping the loopback in the VRF created. The tunnel looks OK but it's like it isnt a member of the VRF I want to reach.
Here is the config:
!
version 12.4
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTH_EZVPN local
aaa authorization network default local
aaa authorization network AUTHOR_EZVPN local
!
aaa session-id common
!
!
ip cef
!
!
ip vrf VRF_EZVPN
rd 1:100
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
!
username user password 0 cisco
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group GROUP_EZVPN
key CISCO
pool POOL_EZVPN
acl ACL_EZVPN
crypto isakmp profile ISAKMP_PROFILE_EZVPN
match identity group GROUP_EZVPN
client authentication list AUTH_EZVPN
isakmp authorization list AUTHOR_EZVPN
client configuration address respond
client configuration group GROUP_EZVPN
virtual-template 1
!
!
crypto ipsec transform-set TS_3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
set transform-set TS_3DES_SHA
set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
!
!
!
interface Loopback0
ip vrf forwarding VRF_EZVPN
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip vrf forwarding VRF_EZVPN
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool POOL_EZVPN 10.10.1.1 10.10.1.254
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended ACL_EZVPN
permit ip host 0.0.0.0 any
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line 1/0 1/15
line vty 0 4
!
scheduler allocate 20000 1000
!
end
Here is the config:
!
version 12.4
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTH_EZVPN local
aaa authorization network default local
aaa authorization network AUTHOR_EZVPN local
!
aaa session-id common
!
!
ip cef
!
!
ip vrf VRF_EZVPN
rd 1:100
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
!
username user password 0 cisco
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group GROUP_EZVPN
key CISCO
pool POOL_EZVPN
acl ACL_EZVPN
crypto isakmp profile ISAKMP_PROFILE_EZVPN
match identity group GROUP_EZVPN
client authentication list AUTH_EZVPN
isakmp authorization list AUTHOR_EZVPN
client configuration address respond
client configuration group GROUP_EZVPN
virtual-template 1
!
!
crypto ipsec transform-set TS_3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
set transform-set TS_3DES_SHA
set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
!
!
!
interface Loopback0
ip vrf forwarding VRF_EZVPN
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip vrf forwarding VRF_EZVPN
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool POOL_EZVPN 10.10.1.1 10.10.1.254
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended ACL_EZVPN
permit ip host 0.0.0.0 any
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line 1/0 1/15
line vty 0 4
!
scheduler allocate 20000 1000
!
end
also you can do a show ip route vrf (vrf name) to verfy the routes.
ASKER
Hi cdusio,
ive added the route-target but no luck reaching the loopback0, here is the routes with the EasyVPN tunnel up:
Router#sh ip route vrf VRF_EZVPN
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 10.10.1.2/32 [1/0] via 0.0.0.0, Virtual-Access2
C 10.0.0.0/24 is directly connected, Loopback0
ive added the route-target but no luck reaching the loopback0, here is the routes with the EasyVPN tunnel up:
Router#sh ip route vrf VRF_EZVPN
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 10.10.1.2/32 [1/0] via 0.0.0.0, Virtual-Access2
C 10.0.0.0/24 is directly connected, Loopback0
where are you trying to ping from?
ASKER
I'm pinging from a laptop thats connected directly to the Fa0/0 and running the easyVPN.
I can reach Loopback0 when pinging from the router using: ping vrf VRF_EZVPN 10.0.0.1
I can reach Loopback0 when pinging from the router using: ping vrf VRF_EZVPN 10.0.0.1
ping the loopback source the ping from the virtual-access interface. Does that work?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ip vrf VRF_EZVPN
rd 1:100
route target import 1:100
route target export 1:100
try that.