We help IT Professionals succeed at work.

Router-to-Router IPSec VPN with one router in VRF

DScouser
DScouser asked
on
Hi,

I have a simple lab setup with 2 x 7200 routers.  Both routers connected together via Fe0/0
RouterA(Fe0/0)------(Fe0/0)RouterB

All Router A interfaces are in a VRF

RouterA Lo0=10.0.0.1
RouterB Lo0=10.0.0.2

Setup static routers on each router to the opposite Lo0 address

All pings working OK (Pretty Simple)

No I want to setup an IPSec tunnel between the two Fe interfaces and encrypt traffic when pinging between the two Lo0 addresses.

Is there any specific configuration I need on RouterA (VRF) to establish the IPSec tunnel?  All works OK without using VRF on RouterA but cannot establish the tunnel when RouterA is in VRF

Below are the configurations with no VRF on RouterA, this works OK...

RouterA

interface Lo0
 ip address 10.0.0.1 255.255.255.255

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2

crypto isakmp key test address 192.168.0.2 no-xauth

crypto ipsec transform-set A esp-aes 256 esp-sha-hmac

crypto map IPSEC local-address fa0/0

crypto map IPSEC 10 ipsec-isakmp
 set peer 192.168.0.2
 set transform-set A
 match address acl

interface fastethernet 0/0
 ip address 192.168.0.1 255.255.255.252
 crypto map IPSEC

ip access-list extended acl
 permit ip host 10.0.0.1 host 10.0.0.2

=====

RouterB

interface Lo0
 ip address 10.0.0.2 255.255.255.255

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2

crypto isakmp key test address 192.168.0.1 no-xauth

crypto ipsec transform-set A esp-aes 256 esp-sha-hmac

crypto map IPSEC local-address fa0/0

crypto map IPSEC 10 ipsec-isakmp
 set peer 192.168.0.1
 set transform-set A
 match address acl

interface fastethernet 0/0
 ip address 192.168.0.2 255.255.255.252
 crypto map IPSEC

ip access-list extended acl
 permit ip host 10.0.0.2 host 10.0.0.1

So when I add the interfaces on RouterA to a VRF, the IPSec VPN does not establish, I get various errors but cannot seem to find a resolution.  Just wondering if I am missing something on the config

Thanks in advance

Ste
Comment
Watch Question

Commented:
Review the VRF-aware IPsec configuration guide, here:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec.html#wp1054181

Your crypto map uses "crypto isakmp policy", which works fine when there in not a VRF in use.  To apply VRF-aware IPsec, you'll need to configure an isakmp profile that associates IKE keys with the VRF's traffic.  An example configuration can be seen here:

http://blog.ipexpert.com/2010/09/20/vrf-aware-ipsec-using-crypto-maps/

Author

Commented:
Thanks for your reply, sorry about the delay as I did not see this.

I found the solution by investigating the keyring and profile as your link mentions so thanks for that

Stephen

Explore More ContentExplore courses, solutions, and other research materials related to this topic.