Dear All,

Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?

I am trying to implement this feature on a PE which has MPLS enabled

on the Internet facing interface.

With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.

I will be really grateful for any comment or any pointers for what could

be possibly wrong with the configuration below:

!

aaa new-model

!

aaa authentication login USER-AUTHENTICATION local

aaa authorization network GROUP-AUTHORISATION local

!

crypto keyring test-1

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group test-1

key test-1

domain test.com

pool cpe-1

acl 101

!

crypto isakmp profile test-1

vrf test-1

keyring test-1

match identity group test-1

client authentication list USER-AUTHENTICATION

isakmp authorization list GROUP-AUTHORISATION

client configuration address initiate

client configuration address respond

client configuration group test-1

!

crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1

!

ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1

!

crypto dynamic-map test-1 1

set transform-set test-1

set isakmp-profile test-1

reverse-route remote-peer

!

Internet facing interface

----------------------------

interface GigabitEthernet4/0/0

ip address x.x.x.x 255.255.255.240

ip router isis

mpls ip

crypto map IPSEC-AWARE-VRF

Customer facing interface

---------------------------

interface GigabitEthernet1/0/0.1

encapsulation dot1Q 100

ip vrf forwarding test-1

ip address 110.110.110.1 255.255.255.0

Kind regards,

ZH