Unanswered Question
May 25th, 2010
User Badges:


Hope anyone can give me an hint .....

My problems is that multi customers, all connected with site-2-site vpn, use the same ip-segments on there lan (ip-overlap) so i need

to do vrf-aware IPSEC as a understand it.

I have setup an testlab but it doesnt work


Can any one help here ?!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Tue, 05/25/2010 - 04:51
User Badges:
  • Cisco Employee,


What do you want to "virtualize"? Are local or remote subnets overlapping?

Taking a look at your config:


  1. crypto keyring KUNDE1 vrf KUNDE1
  2.   pre-shared-key address key vpn-kodeord
  3. crypto isakmp profile KUNDE1
  4.    vrf KUNDE1
  5.    keyring KUNDE1
  6.    self-identity address
  7.    match identity address KUNDE1


You're expecting both Inside and Frond VRF to be Kunde1. Ie encapsulated packets should be received on VRF KUNDE1 and also be decapsulated there.

If there is only one overlapp we either:

- Use VRFs (if multiple local subnets are shared), if it's Intenet deployment you use only one Frond VRF.

- NAT if muliple remote subnets are shared (note that NAT is done before encryption)

What kind of deployment did you have in mind



This Discussion