tunnel mode ipsec feature vrf aware?

Unanswered Question
Apr 14th, 2008

hi,

there are nice documents for vrf aware ipsec configurations with "classic" crypto maps...

and also for tunnel mode ipsec configurations but with tunnel peers in global routing table...

i need a combination:

a gre tunnel interface with ipsec encryption where both - the tunnel peers (source/destination) and the encrypted traffic is within the same VRF

in most samples the tunnel is set up over the global routing instance and just the encrypted traffic is in an VRF...

any clues if this works / is supported?

thanks in advance

herwig

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hgans Tue, 04/15/2008 - 01:35

anyone knows if tunnel peers can be in the same vrf as the encrypted traffic?

thanks,

herwig

hgans Tue, 04/22/2008 - 05:57

just if one of you need this info...

it's possible to have tunnel peers inside the same vrf together with the tunneled traffic itself:

crypto keyring KEYRING vrf XYZ

pre-shared-key address 172.26.1.69 key cisco

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

crypto isakmp profile IKE_PROFILE

keyring KEYRING

match identity address 172.26.1.69 255.255.255.255 XYZ

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

!

crypto ipsec profile PROFILE

set transform-set TSET

interface Tunnel1

ip vrf forwarding XYZ

ip address 172.20.107.145 255.255.255.252

tunnel source Loopback2

tunnel destination 172.26.1.81

tunnel mode ipsec ipv4

tunnel vrf XYZ

tunnel protection ipsec profile PROFILE shared

Actions

This Discussion