Odytest
asked on
VRF Aware IPSEC Tunnel settings with scripting options.
I have an edge Router that I am trying to get up and running as VRF based IPSEC concentrator. Its currently running Version 12.2(18)SXF17b Adv Ent
Ideally I would like to use Global Loopback IPs to terminate the Peering and layer 3 Port-channel .1q Sub Interfaces.
Specifically I have a 6509-E with RSP720-3BXL's with 2 WS-IPSEC-2G Cards in the chassis.
crypto engine mode vrf is already enabled on the chassis.
Wondering if i am missing anything else.
ip VRF TEST1
!
Crytpo keyring TEST1 VRF TEST1
Pre-shared-key address x.x.x.32 key 12345678
!
Crytpo isakmp policy 2000
encr 3DES
authentication pre-share
group2
!
Crypto isakmp profile TEST1
VRF TEST1
keyring TEST1
Match identity address x.x.x.188 TEST1
!
Crypto ipsec transform-set TEST1 esp-3des esp-sha-hmac
!
crypto map TEST1 isakmp-profile TEST1
crypto map TEST1 2000 ipsec-isakmp
set peer x.x.x.188
set transform-set TEST1
set isakmp-profile TEST1
match address 2000
!
interface Port-channel1.2000
encapsulation dot1Q 2000
ip vrf forwarding TEST1
ip address 10.98.0.254 255.255.255.0
end
!
interface Loopback2000
ip address x.x.x.32 255.255.255.255
end
!
Access-list 2000 permit ip 10.98.0.0 0.0.0.255 192.168.83.0 0.0.0.255 log
Access-list 2000 permit ip 10.98.0.0 0.0.0.255 192.168.82.0 0.0.0.255 log
access-list 2000 remark "ACCESS LIST USED FOR TEST1 CRYPTOMAP/IPSEC TUNNEL"
Ideally I would like to use Global Loopback IPs to terminate the Peering and layer 3 Port-channel .1q Sub Interfaces.
Specifically I have a 6509-E with RSP720-3BXL's with 2 WS-IPSEC-2G Cards in the chassis.
crypto engine mode vrf is already enabled on the chassis.
Wondering if i am missing anything else.
ip VRF TEST1
!
Crytpo keyring TEST1 VRF TEST1
Pre-shared-key address x.x.x.32 key 12345678
!
Crytpo isakmp policy 2000
encr 3DES
authentication pre-share
group2
!
Crypto isakmp profile TEST1
VRF TEST1
keyring TEST1
Match identity address x.x.x.188 TEST1
!
Crypto ipsec transform-set TEST1 esp-3des esp-sha-hmac
!
crypto map TEST1 isakmp-profile TEST1
crypto map TEST1 2000 ipsec-isakmp
set peer x.x.x.188
set transform-set TEST1
set isakmp-profile TEST1
match address 2000
!
interface Port-channel1.2000
encapsulation dot1Q 2000
ip vrf forwarding TEST1
ip address 10.98.0.254 255.255.255.0
end
!
interface Loopback2000
ip address x.x.x.32 255.255.255.255
end
!
Access-list 2000 permit ip 10.98.0.0 0.0.0.255 192.168.83.0 0.0.0.255 log
Access-list 2000 permit ip 10.98.0.0 0.0.0.255 192.168.82.0 0.0.0.255 log
access-list 2000 remark "ACCESS LIST USED FOR TEST1 CRYPTOMAP/IPSEC TUNNEL"
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.