09-01-2009 01:31 AM
Hi,
I would like your advices about what is written in the VPN SPA Cisco documentation (Catalyst 6500 Series Switch SIP, SSC, and SPA Software Configuration Guide.pdf).
It say in the chapter "Configuring IPsec Stateless and stateful failover with VRF Mode" :
"Chassis-to- chassis failover with VRF mode is configured differently than in non-VRF (crypto-connect)
mode. In VRF mode, the HSRP configuration goes on the physical interface, but the crypto map is added
to the interface VLAN. In non-VRF mode, both the HSRP configuration and the crypto map are on the
same interface."
And the configuration given by the documentation :
hostname router-1
!
ip vrf ivrf
rd 1000:1
route-target export 1000:1
route-target import 1000:1
!
crypto engine mode vrf
!
vlan 2,3
!
crypto keyring key1
pre-shared-key address 14.0.1.1 key 12345
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp keepalive 10
crypto isakmp profile ivrf
vrf ivrf
keyring key1
match identity address 14.0.1.1 255.255.255.255
!
crypto ipsec transform-set ts esp-3des esp-sha-hmac
!
crypto map map_vrf_1 local-address Vlan3
crypto map map_vrf_1 10 ipsec-isakmp
set peer 14.0.1.1
set transform-set ts
set isakmp-profile ivrf
match address acl_1
!
interface GigabitEthernet1/1
!switch inside port
ip address 13.254.254.1 255.255.255.0
!
interface GigabitEthernet1/1.1
encapsulation dot1Q 2000
ip vrf forwarding ivrf
ip address 13.254.254.1 255.0.0.0
!
interface GigabitEthernet1/2
!switch outside port
switchport
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet4/0/1
!IPsec VPN SPA inside port
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,1002-1005
switchport mode trunk
mtu 9216
flowcontrol receive on
flowcontrol send off
spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPsec VPN SPA outside port
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,1002-1005
switchport mode trunk
mtu 9216
flowcontrol receive on
flowcontrol send off
spanning-tree portfast trunk
!
interface Vlan3
ip address 15.0.0.2 255.255.255.0
standby delay minimum 0 reload 0
standby 1 ip 15.0.0.100
standby 1 timers msec 100 1
standby 1 priority 105
standby 1 preempt
standby 1 name std-hsrp
standby 1 track GigabitEthernet1/2
crypto engine slot 4/0 outside
!
interface Vlan2
ip vrf forwarding ivrf
ip address 15.0.0.252 255.255.255.0
crypto map map_vrf_1 redundancy std-hsrp
crypto engine slot 4/0 inside
!
ip classless
ip route 12.0.0.0 255.0.0.0 15.0.0.1
ip route 13.0.0.0 255.0.0.0 13.254.254.2
ip route 14.0.0.0 255.0.0.0 15.0.0.1
ip route 223.255.254.0 255.255.255.0 17.1.0.1
ip route vrf ivrf 12.0.0.1 255.255.255.255 15.0.0.1
!
ip access-list extended acl_1
permit ip host 13.0.0.1 host 12.0.0.1
!
!
arp vrf ivrf 13.0.0.1 0000.0000.2222 ARPA
It seems that in this example, the HSRP is not on the physical interface...
Somebody can say me what it the real way to configure stateless HSRP with VPN SPA ?
Thank you for your help :)
09-01-2009 01:31 PM
The config above should be fine. The most important thing is the separation of crypto map and HSRP config. The documentation is referring that. Since the exit interface Gi1/2 is just a layer 2 vlan, HSRP is associated with an SVI Vlan 3. The crypto map is applied on Vlan 2.
interface GigabitEthernet1/2
!switch outside port
switchport
switchport access vlan 3
switchport mode access
!
You can refer this link if it helps. It shows HSRP in the physical interface.
09-02-2009 12:41 AM
Thank you for your answer. I have got separation of crypto map and HSRP config but my crypto map is applied on an SVI is it a problem ?
This is my configuration :
ip vrf ipsec-inside1
rd 30:1
!
ip vrf ipsec-internet
rd 10:1
!
ip vrf ipsec-outside
rd 20:1
vlan 10,20,30,40,50
crypto keyring stg-keys vrf ipsec-outside
pre-shared-key address 1.1.1.1 key cisco
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
crypto isakmp key cisco address 1.1.1.1
crypto isakmp profile stg
vrf ipsec-inside1
keyring stg-keys
match identity address 1.1.1.1 255.255.255.255 ipsec-outside
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map cm local-address Vlan20
crypto map cm 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set 3des-md5
set isakmp-profile stg
match address acl
!
interface FastEthernet3/25
switchport
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet3/26
switchport
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet7/0/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 30
switchport mode trunk
mtu 9216
flowcontrol receive on
flowcontrol send off
spanning-tree portfast trunk
!
interface Vlan20
ip vrf forwarding ipsec-outside
ip address 10.20.1.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
standby delay minimum 0 reload 0
standby 84 ip 10.20.1.2
standby 84 timers msec 100 1
standby 84 preempt
standby 84 name spa-hsrp
standby 84 track GigabitEthernet7/0/1 20
crypto engine slot 7/0 outside
!
interface Vlan30
ip vrf forwarding ipsec-inside1
ip address 10.30.1.1 255.255.255.0
crypto map cm redundancy spa-hsrp
crypto engine slot 7/0 inside
!
interface Vlan40
ip vrf forwarding ipsec-inside1
ip address 10.30.4.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
standby delay minimum 0 reload 0
standby 85 ip 10.30.4.1
standby 85 timers msec 100 1
standby 85 preempt
standby 85 track GigabitEthernet7/0/1 20
!
ip access-list extended acl
permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
09-02-2009 08:40 AM
Yes, crypto map should be in SVI, thats the only way the packet can be forwarded to VPN SPA for encryption. I noticed you have FVRF configured on vlan 20. It should be fine if you are using latest release. Otherwise you would need to use it as global (no vrf) interface for Vlan 20.
09-07-2009 01:02 AM
Yes,
I'm using 12.2(33)SXI, it should be okay.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: