tunnel mode ipsec feature vrf aware?

Unanswered Question
Apr 14th, 2008
User Badges:


there are nice documents for vrf aware ipsec configurations with "classic" crypto maps...

and also for tunnel mode ipsec configurations but with tunnel peers in global routing table...

i need a combination:

a gre tunnel interface with ipsec encryption where both - the tunnel peers (source/destination) and the encrypted traffic is within the same VRF

in most samples the tunnel is set up over the global routing instance and just the encrypted traffic is in an VRF...

any clues if this works / is supported?

thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hgans Tue, 04/15/2008 - 01:35
User Badges:

anyone knows if tunnel peers can be in the same vrf as the encrypted traffic?



hgans Tue, 04/22/2008 - 05:57
User Badges:

just if one of you need this info...

it's possible to have tunnel peers inside the same vrf together with the tunneled traffic itself:

crypto keyring KEYRING vrf XYZ

pre-shared-key address key cisco


crypto isakmp policy 10

encr aes

authentication pre-share

group 5

crypto isakmp profile IKE_PROFILE

keyring KEYRING

match identity address XYZ

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac


crypto ipsec profile PROFILE

set transform-set TSET

interface Tunnel1

ip vrf forwarding XYZ

ip address

tunnel source Loopback2

tunnel destination

tunnel mode ipsec ipv4

tunnel vrf XYZ

tunnel protection ipsec profile PROFILE shared


This Discussion