VTI IPsec VRF aware peer-to-peer config

Unanswered Question
Aug 17th, 2010
User Badges:

Hello,



Hi would like to set up peer-to-perr VPN connection between 2 VRF (Global and X) with VTI and VRF aware feature.
At the momento I'm using 2 IP on public interface (primary and secondary) that are used as VPN peer for VRF global
IPsec and X vrf IPsec termination, this Because I'm not able to configure the two VRF isakmp/IPsec profile on a single public IP.
Does someone has an ideo how to differnciate the 2 IPsec tunnel without to configure secondary IPs ?


here the config of RTR1 that works with 2 public IP (RTR2 is configured in a simmetric way)...


!
crypto keyring Globalkeyring
  pre-shared-key address 1.1.1.3 key cisco
!
crypto keyring Xkeyring
  pre-shared-key address 1.1.1.4 key cisco1
!
crypto isakmp profile Global-isakmp
   keyring Globalkeyring
   match identity address 1.1.1.3 255.255.255.255
   keepalive 10 retry 5


crypto isakmp profile X-isakmp
   keyring Xkeyring
   match identity address 1.1.1.4 255.255.255.255
   keepalive 10 retry 5
!
crypto ipsec transform-set TI-Netset1 esp-3des esp-sha-hmac
!
crypto ipsec profile Global-profile
set transform-set TI-Netset1
set isakmp-profile X-isakmp
!
crypto ipsec profile X-profile
set transform-set TI-Netset1
set isakmp-profile X-isakmp
!
!
interface Tunnel506
ip address 10.47.3.101 255.255.255.252
keepalive 1 5
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 1.1.1.3
tunnel protection ipsec profile Global-profile
!
interface Tunnel1506
ip vrf forwarding X
ip address 10.47.229.101 255.255.255.252
keepalive 1 5
tunnel source 1.1.1.2
tunnel mode ipsec ipv4
tunnel destination 1.1.1.4
tunnel protection ipsec profile X-profile
!
!
interface GigabitEthernet0/1
description External
ip address 1.1.1.1 255.255.255.0 secondary
ip address 1.1.1.2 255.255.255.0
duplex auto
speed auto
!
!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sun, 10/16/2011 - 02:28
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

You could use front end vrf with VPN

See the bellow link even if you are using vti not dmvpn still same concept of the tunnel and vrf

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html


Hope this help

If helpful rate

apietrosan Mon, 10/17/2011 - 06:27
User Badges:

Maybe you could help me out .  I will explain the situation and what I want to setup:


The configuration needs to be similiar to this Configuration Template but will need a second tunnel included for backup.  (**Note:  For each tunnel I am required to use a different tunnel source.  Each source being a WAN ip address.**)



crypto isakmp policy 1

encryption [ENCRYPTION TYPE]

hash [HASH TYPE]

authentication pre-share

group 2

crypto isakmp key [SECRET] address [REMOTE IP]

!

crypto ipsec transform-set [NAME] [TRANSFORM 1]

mode transport

!

crypto map [MAP NAME] 10 ipsec-isakmp

set peer peer [REMOTE IP ADDRESS]

set transform-set [TRANSFORM-SET NAME]

match address [ACCESS-LIST NUMBER OR NAME]

!

access-list [ACL NUMBER OR NAME] permit gre host

[LOCAL IP] host [REMOTE IP]

!

interface [INTERFACE NAME/NUMBER]

ip address [LOCAL IP]

crypto map [MAP NAME]

!

interface Tunnel0

ip address [LOCAL TUNNEL IP] 255.255.255.252

tunnel source [LOCAL INTERFACE IP]

tunnel destination [REMOTE IP]

!

router bgp [LOCAL AS NUMBER]

neighbor [VZW TUNNEL IP] remote-as 22394

network [INTERNAL NETWORK] mask [MASK]




The are the Requirements given to me from the vendor we are working with:


The IPSec tunnel endpoint and GRE tunnel endpoints must both reside on the same physical customer device.


BGP peering relationship between each Private Network connecting via VPN.


GRE is required because:


Allows for passing non-IP traffic (including Multicast, etc)

Creates a logical WAN Interface (with a /30 customer provided network).

Allows the Enterprise to extend their internal private network to the Wireless Private Network router.

Allows for simple EBGP peering at the GRE tunnel endpoints.

The Enterprise can make changes to their IP addressing without needing to notify Wireless Vendor.


Thanks.  Any help would be greatly appreciated.  Thanks.

Actions

This Discussion