VRF-Aware IPSec for Remote Access

Answered Question
Nov 5th, 2007
User Badges:

Dear All,



Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?


I am trying to implement this feature on a PE which has MPLS enabled

on the Internet facing interface.


With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.


I will be really grateful for any comment or any pointers for what could

be possibly wrong with the configuration below:


!

aaa new-model

!

aaa authentication login USER-AUTHENTICATION local

aaa authorization network GROUP-AUTHORISATION local

!

crypto keyring test-1

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group test-1

key test-1

domain test.com

pool cpe-1

acl 101

!

crypto isakmp profile test-1

vrf test-1

keyring test-1

match identity group test-1

client authentication list USER-AUTHENTICATION

isakmp authorization list GROUP-AUTHORISATION

client configuration address initiate

client configuration address respond

client configuration group test-1

!

crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1

!

ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1

!

crypto dynamic-map test-1 1

set transform-set test-1

set isakmp-profile test-1

reverse-route remote-peer

!


Internet facing interface

----------------------------

interface GigabitEthernet4/0/0

ip address x.x.x.x 255.255.255.240

ip router isis

mpls ip

crypto map IPSEC-AWARE-VRF



Customer facing interface

---------------------------

interface GigabitEthernet1/0/0.1

encapsulation dot1Q 100

ip vrf forwarding test-1

ip address 110.110.110.1 255.255.255.0



Kind regards,


ZH


Correct Answer by ivillegas about 9 years 6 months ago

Try disabling CEF in the physical interface or remove the subinterface from the same vrf as the crypto map. There is a bug regarding this CSCeb65521.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
ivillegas Mon, 11/12/2007 - 14:44
User Badges:
  • Silver, 250 points or more

Try disabling CEF in the physical interface or remove the subinterface from the same vrf as the crypto map. There is a bug regarding this CSCeb65521.

zahid.hassan Tue, 11/13/2007 - 03:12
User Badges:

Million thanks for this.


This now works after disabling CEF on the public facing interface.



Regards,


Zahid


Actions

This Discussion