IPSec with vrf and local address

Unanswered Question
Mar 24th, 2009


I'm trying to establish IPSec tunnel from router Cisco 7200 (IOS 12.4(5a)). Tunnel needs to end on my side in local vrf and peer address is loopback0 address (not the address of outgoing interface which has crypto-map configured on). Here is the config:

ip vrf VPN

rd 10:10

crypto keyring KEY1

pre-shared-key address key 747a592ca7

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp profile PROFILE

vrf VPN

keyring KEY1

match identity address

local-address Loopback0

crypto ipsec transform-set Medium1 esp-3des esp-sha-hmac

crypto map vpn 100 ipsec-isakmp

set peer

set transform-set Medium1

set pfs group2

set isakmp-profile PROFILE1

match address 111

interface Loopback0

ip address

interface GigabitEthernet0/1

ip address

crypto map vpn

interface GigabitEthernet0/2

ip vrf forwarding VPN

ip address

ip route vrf VPN global

access-list 111 permit ip

Although I have in profile PROFILE1 local-address loopback 0(, It is still used outgoing interface address that has crypto-map applied)

protected vrf: VPN

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (

current_peer port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 55, #recv errors 0

local crypto endpt.: remote crypto endpt.:

path mtu 1500, ip mtu 1500

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

I even tried to put interface loopback 0 in vrf VPN with

interface Loopback0

ip vrf receive VPN

ip address

ip policy route-map IDLE

But It didn't help. Does anyone know what could be the problem?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Antonio_1_2 Tue, 03/24/2009 - 04:31

in above config it should be

crypto map vpn 100 ipsec-isakmp

set isakmp-profile PROFILE

and not

crypto map vpn 100 ipsec-isakmp

set isakmp-profile PROFILE1


This Discussion