We help IT Professionals succeed at work.

VRF Aware IPSEC Tunnel settings with scripting options.

I have an edge Router that I am trying to get up and running as VRF based IPSEC concentrator. Its currently running Version 12.2(18)SXF17b Adv Ent

Ideally I would like to use Global Loopback IPs to terminate the Peering and layer 3 Port-channel .1q Sub Interfaces.

 
Specifically I have a 6509-E with RSP720-3BXL's with 2 WS-IPSEC-2G Cards in the chassis.

crypto engine mode vrf is already enabled on the chassis.

 

Wondering if i am missing anything else.

 

ip VRF TEST1

!

Crytpo keyring TEST1 VRF TEST1

Pre-shared-key address x.x.x.32 key 12345678

!

Crytpo isakmp policy 2000

encr 3DES

authentication pre-share

group2

!

Crypto isakmp profile TEST1

VRF TEST1

keyring TEST1

Match identity address x.x.x.188 TEST1

!

Crypto ipsec transform-set TEST1 esp-3des esp-sha-hmac

!

crypto map TEST1 isakmp-profile TEST1

crypto map TEST1 2000 ipsec-isakmp

set peer x.x.x.188

set transform-set TEST1

set isakmp-profile TEST1

match address 2000

!

interface Port-channel1.2000

encapsulation dot1Q 2000

ip vrf forwarding TEST1

ip address 10.98.0.254 255.255.255.0

end

!

interface Loopback2000

ip address x.x.x.32 255.255.255.255

end

!

 

Access-list 2000 permit ip 10.98.0.0 0.0.0.255 192.168.83.0 0.0.0.255 log

Access-list 2000 permit ip 10.98.0.0 0.0.0.255 192.168.82.0 0.0.0.255 log

access-list 2000 remark "ACCESS LIST USED FOR TEST1 CRYPTOMAP/IPSEC TUNNEL"
Comment
Watch Question

Network Architect
CERTIFIED EXPERT
Commented:
It looks good, but you're going to want to leak a route to the destination network in order for traffic to pass back to the remote peer or none of the traffic will get out.

ip route vrf TEST1 192.168.82.0 255.255.254.0 x.x.x.x global

Replace x.x.x.x with the next hop IP to the remote peer in the global routing table.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.