Hello I'd like to set up a VTI with fvrf in non global vrf and ivrf in global one.
Is it possible to have VTI tunnel source/desctination on non global vrf in IPsec mode ?
here the config and the error on perr configured in symmetrical way ...
!
crypto ikev2 proposal prop-1
encryption 3des
integrity md5
group 2
!
crypto ikev2 policy pol-1
match fvrf internet
proposal prop-1
!
crypto ikev2 keyring v2-kr1
peer abc
address 1.1.1.252
pre-shared-key abc
!
crypto ikev2 profile prof
match fvrf internet
match identity remote address 1.1.1.252 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring v2-kr1
ivrf global
!
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
!
crypto ipsec profile ipsecprof
set transform-set trans
set ikev2-profile prof
!
!
interface GigabitEthernet0/1
description Internet
ip vrf forwarding internet
ip address 1.1.1.244 255.255.255.0
duplex auto
speed auto
!
interface Tunnel506
ip address 10.47.3.101 255.255.255.252
keepalive 1 5
tunnel source 1.1.1.244
tunnel mode ipsec ipv4
tunnel destination 1.1.1.252
tunnel protection ipsec profile ipsecprof
!
*Aug 26 10:45:42.779: IKEv2:% Getting preshared key from profile keyring v2-kr1
*Aug 26 10:45:42.779: IKEv2:% Getting preshared key by address 1.1.1.244
*Aug 26 10:45:42.779: IKEv2:% Matched peer block 'abc'
*Aug 26 10:45:42.779: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.252
*Aug 26 10:45:42.779: IKEv2:Policy pol-1 cannot be picked due to fvrf mismatch
*Aug 26 10:45:42.779: IKEv2:No Matching policy with fvrf 0, local addr 1.1.1.252
*Aug 26 10:45:42.779: IKEv2:Failed to initiate sa