VRF aware IPSEC

Unanswered Question
May 25th, 2010

Hello,


Hope anyone can give me an hint .....


My problems is that multi customers, all connected with site-2-site vpn, use the same ip-segments on there lan (ip-overlap) so i need

to do vrf-aware IPSEC as a understand it.


I have setup an testlab but it doesnt work


http://pastebin.org/275189


Can any one help here ?!


Martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Tue, 05/25/2010 - 04:51

Martin,


What do you want to "virtualize"? Are local or remote subnets overlapping?


Taking a look at your config:

--------

  1. crypto keyring KUNDE1 vrf KUNDE1
  2.   pre-shared-key address 150.1.11.17 key vpn-kodeord
  3. crypto isakmp profile KUNDE1
  4.    vrf KUNDE1
  5.    keyring KUNDE1
  6.    self-identity address
  7.    match identity address 150.1.11.17 255.255.255.255 KUNDE1

----------


You're expecting both Inside and Frond VRF to be Kunde1. Ie encapsulated packets should be received on VRF KUNDE1 and also be decapsulated there.


If there is only one overlapp we either:

- Use VRFs (if multiple local subnets are shared), if it's Intenet deployment you use only one Frond VRF.

- NAT if muliple remote subnets are shared (note that NAT is done before encryption)


What kind of deployment did you have in mind


Marcin

Actions

This Discussion