VRF-Aware IPSec for Remote Access

Answered Question
Nov 5th, 2007

Dear All,

Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?

I am trying to implement this feature on a PE which has MPLS enabled

on the Internet facing interface.

With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.

I will be really grateful for any comment or any pointers for what could

be possibly wrong with the configuration below:

!

aaa new-model

!

aaa authentication login USER-AUTHENTICATION local

aaa authorization network GROUP-AUTHORISATION local

!

crypto keyring test-1

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group test-1

key test-1

domain test.com

pool cpe-1

acl 101

!

crypto isakmp profile test-1

vrf test-1

keyring test-1

match identity group test-1

client authentication list USER-AUTHENTICATION

isakmp authorization list GROUP-AUTHORISATION

client configuration address initiate

client configuration address respond

client configuration group test-1

!

crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1

!

ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1

!

crypto dynamic-map test-1 1

set transform-set test-1

set isakmp-profile test-1

reverse-route remote-peer

!

Internet facing interface

----------------------------

interface GigabitEthernet4/0/0

ip address x.x.x.x 255.255.255.240

ip router isis

mpls ip

crypto map IPSEC-AWARE-VRF

Customer facing interface

---------------------------

interface GigabitEthernet1/0/0.1

encapsulation dot1Q 100

ip vrf forwarding test-1

ip address 110.110.110.1 255.255.255.0

Kind regards,

ZH

I have this problem too.
0 votes
Correct Answer by ivillegas about 9 years 2 months ago

Try disabling CEF in the physical interface or remove the subinterface from the same vrf as the crypto map. There is a bug regarding this CSCeb65521.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
ivillegas Mon, 11/12/2007 - 14:44

Try disabling CEF in the physical interface or remove the subinterface from the same vrf as the crypto map. There is a bug regarding this CSCeb65521.

zahid.hassan Tue, 11/13/2007 - 03:12

Million thanks for this.

This now works after disabling CEF on the public facing interface.

Regards,

Zahid

Actions

This Discussion