DScouser
asked on
Router-to-Router IPSec VPN with one router in VRF
Hi,
I have a simple lab setup with 2 x 7200 routers. Both routers connected together via Fe0/0
RouterA(Fe0/0)------(Fe0/0
All Router A interfaces are in a VRF
RouterA Lo0=10.0.0.1
RouterB Lo0=10.0.0.2
Setup static routers on each router to the opposite Lo0 address
All pings working OK (Pretty Simple)
No I want to setup an IPSec tunnel between the two Fe interfaces and encrypt traffic when pinging between the two Lo0 addresses.
Is there any specific configuration I need on RouterA (VRF) to establish the IPSec tunnel? All works OK without using VRF on RouterA but cannot establish the tunnel when RouterA is in VRF
Below are the configurations with no VRF on RouterA, this works OK...
RouterA
interface Lo0
ip address 10.0.0.1 255.255.255.255
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key test address 192.168.0.2 no-xauth
crypto ipsec transform-set A esp-aes 256 esp-sha-hmac
crypto map IPSEC local-address fa0/0
crypto map IPSEC 10 ipsec-isakmp
set peer 192.168.0.2
set transform-set A
match address acl
interface fastethernet 0/0
ip address 192.168.0.1 255.255.255.252
crypto map IPSEC
ip access-list extended acl
permit ip host 10.0.0.1 host 10.0.0.2
=====
RouterB
interface Lo0
ip address 10.0.0.2 255.255.255.255
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key test address 192.168.0.1 no-xauth
crypto ipsec transform-set A esp-aes 256 esp-sha-hmac
crypto map IPSEC local-address fa0/0
crypto map IPSEC 10 ipsec-isakmp
set peer 192.168.0.1
set transform-set A
match address acl
interface fastethernet 0/0
ip address 192.168.0.2 255.255.255.252
crypto map IPSEC
ip access-list extended acl
permit ip host 10.0.0.2 host 10.0.0.1
So when I add the interfaces on RouterA to a VRF, the IPSec VPN does not establish, I get various errors but cannot seem to find a resolution. Just wondering if I am missing something on the config
Thanks in advance
Ste
I have a simple lab setup with 2 x 7200 routers. Both routers connected together via Fe0/0
RouterA(Fe0/0)------(Fe0/0
All Router A interfaces are in a VRF
RouterA Lo0=10.0.0.1
RouterB Lo0=10.0.0.2
Setup static routers on each router to the opposite Lo0 address
All pings working OK (Pretty Simple)
No I want to setup an IPSec tunnel between the two Fe interfaces and encrypt traffic when pinging between the two Lo0 addresses.
Is there any specific configuration I need on RouterA (VRF) to establish the IPSec tunnel? All works OK without using VRF on RouterA but cannot establish the tunnel when RouterA is in VRF
Below are the configurations with no VRF on RouterA, this works OK...
RouterA
interface Lo0
ip address 10.0.0.1 255.255.255.255
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key test address 192.168.0.2 no-xauth
crypto ipsec transform-set A esp-aes 256 esp-sha-hmac
crypto map IPSEC local-address fa0/0
crypto map IPSEC 10 ipsec-isakmp
set peer 192.168.0.2
set transform-set A
match address acl
interface fastethernet 0/0
ip address 192.168.0.1 255.255.255.252
crypto map IPSEC
ip access-list extended acl
permit ip host 10.0.0.1 host 10.0.0.2
=====
RouterB
interface Lo0
ip address 10.0.0.2 255.255.255.255
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key test address 192.168.0.1 no-xauth
crypto ipsec transform-set A esp-aes 256 esp-sha-hmac
crypto map IPSEC local-address fa0/0
crypto map IPSEC 10 ipsec-isakmp
set peer 192.168.0.1
set transform-set A
match address acl
interface fastethernet 0/0
ip address 192.168.0.2 255.255.255.252
crypto map IPSEC
ip access-list extended acl
permit ip host 10.0.0.2 host 10.0.0.1
So when I add the interfaces on RouterA to a VRF, the IPSec VPN does not establish, I get various errors but cannot seem to find a resolution. Just wondering if I am missing something on the config
Thanks in advance
Ste
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found the solution by investigating the keyring and profile as your link mentions so thanks for that
Stephen