cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
533
Views
0
Helpful
1
Replies

VRF aware IPSEC

mdaaxcess
Level 1
Level 1

Hello,

Hope anyone can give me an hint .....

My problems is that multi customers, all connected with site-2-site vpn, use the same ip-segments on there lan (ip-overlap) so i need

to do vrf-aware IPSEC as a understand it.

I have setup an testlab but it doesnt work

http://pastebin.org/275189

Can any one help here ?!

Martin

1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Martin,

What do you want to "virtualize"? Are local or remote subnets overlapping?

Taking a look at your config:

--------

  1. crypto keyring KUNDE1 vrf KUNDE1
  2.   pre-shared-key address 150.1.11.17 key vpn-kodeord
  3. crypto isakmp profile KUNDE1
  4.    vrf KUNDE1
  5.    keyring KUNDE1
  6.    self-identity address
  7.    match identity address 150.1.11.17 255.255.255.255 KUNDE1

----------

You're expecting both Inside and Frond VRF to be Kunde1. Ie encapsulated packets should be received on VRF KUNDE1 and also be decapsulated there.

If there is only one overlapp we either:

- Use VRFs (if multiple local subnets are shared), if it's Intenet deployment you use only one Frond VRF.

- NAT if muliple remote subnets are shared (note that NAT is done before encryption)

What kind of deployment did you have in mind

Marcin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: