Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5373
Views
7
Helpful
1
Replies

VTI on fvrf non global (ivrf=global)

helenio
Level 1
Level 1

‎08-26-2010 01:54 AM - edited ‎03-04-2019 09:33 AM

Hello I'd like to set up a VTI with fvrf in non global vrf and ivrf in global one.

Is it possible to have VTI tunnel source/desctination on non global vrf in IPsec mode ?

here the config and the error on perr configured in symmetrical way ...

!
crypto ikev2 proposal prop-1
encryption 3des
integrity md5
group 2
!
crypto ikev2 policy pol-1
match fvrf internet
proposal prop-1
!
crypto ikev2 keyring v2-kr1
peer abc
  address 1.1.1.252
  pre-shared-key abc
!
crypto ikev2 profile prof
match fvrf internet
match identity remote address 1.1.1.252 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring v2-kr1
ivrf global
!
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
!
crypto ipsec profile ipsecprof
set transform-set trans
set ikev2-profile prof
!                  

!
interface GigabitEthernet0/1
description Internet
ip vrf forwarding internet
ip address 1.1.1.244 255.255.255.0
duplex auto
speed auto

!
interface Tunnel506
ip address 10.47.3.101 255.255.255.252
keepalive 1 5
tunnel source 1.1.1.244
tunnel mode ipsec ipv4
tunnel destination 1.1.1.252
tunnel protection ipsec profile ipsecprof
!


*Aug 26 10:45:42.779: IKEv2:% Getting preshared key from profile keyring v2-kr1
*Aug 26 10:45:42.779: IKEv2:% Getting preshared key by address 1.1.1.244
*Aug 26 10:45:42.779: IKEv2:% Matched peer block 'abc'
*Aug 26 10:45:42.779: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.252
*Aug 26 10:45:42.779: IKEv2:Policy pol-1 cannot be picked due to fvrf mismatch
*Aug 26 10:45:42.779: IKEv2:No Matching policy with fvrf 0, local addr 1.1.1.252
*Aug 26 10:45:42.779: IKEv2:Failed to initiate sa

Labels:
1 Reply 1

ma4d
Level 1
Level 1

‎02-10-2012 09:02 PM

I know this is a very old post but I'd like to answer it anyway for future use since it pops up at the top of a google search for vti fvrf.

The key is to specify your fvrf on your tunnel interface.  For instance:

interface Tunnel 506

ip address 10.47.3.101 255.255.255.252

keepalive 1 5

tunnel source 1.1.1.244

tunnel mode ipsec ipv4

tunnel destination 1.1.1.252

tunnel vrf internet

tunnel protection ipsec profile ipsecprof


This will specify the vrf that your tunnel source and destination are in.

Since there is no "vrf forwarding" command on your tunnel506, then the tunneled traffic will be in your global vrf.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card