GETVPN with VRF Lite

mark · ‎09-20-2010

Hi All

Has anyone managed to setup GETVPN on a CE router with VRF Lite?

I using 2821's (12(24)T4) in a test lab to test the functionality of GETVPN before I deploy on a production network. The GETVPN configurations works fine if the routing is in the global table but once the config is moved to a VRF the GM's will not register. The KS is only using the global routing table as it is not VRF aware.

The MPLS core and CE to KS connectivity is working fine. Does anyone have a working configuration?

Thanks

Mark

Marcin Latosiewicz · ‎09-20-2010

Mark,

If I understand what you're going after you need 15.0(1)M minimum.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_encrypt_trns_vpn_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1231392

GET VPN VRF-Aware GDOI on GM

15.0(1)M

This feature enhances GET VPN; it allows separation between Data and Control planes on Group Members.

The following command was introduced or modified: client registration interface.

Hope this helps.

Marcin

mark · ‎09-21-2010

Hi Marcin

Thanks for the speedy response to my question. I'm not neccessarily looking to split the data and control traffic but merely trying configure GETVPN on a VRF interface. I have CE routers which have multiple VRF's (Customer data, Management) and now internet and I want to encrypt the new internet vrf. I have followed the design guide and I'm using the recommended versions.

I will try ver 15 and see what functionality that gives me.

Do you have a working configuration that you can share?

Thanks

Mark

Marcin Latosiewicz · ‎09-21-2010

Mark,

There this example from a collgueague of mine. Not it is using client registration interface (it's on 15.0).

If time allows I will also check in my lab.

Hope this helps.

Marcin

!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco123 address 1.1.1.1
!
!
crypto gdoi group getvpn_group
identity number 1
server address ipv4 1.1.1.1
client registration interface Ethernet0/0
!
crypto gdoi group getvpn_group2
identity number 2
server address ipv4 1.1.1.1
client registration interface Ethernet0/0
!
crypto gdoi group getvpn_group3
identity number 3
server address ipv4 1.1.1.1
client registration interface Ethernet0/0
!
!
crypto map client1 10 gdoi
set group getvpn_group
!
crypto map client2 10 gdoi
set group getvpn_group2
!
crypto map client3 10 gdoi
set group getvpn_group3
!
!
!
!
!
interface Loopback10
ip vrf forwarding client1
ip address 10.10.10.1 255.255.255.0
!
!
interface Loopback20
ip vrf forwarding client2
ip address 10.10.10.1 255.255.255.0
!
!
interface Loopback30
ip vrf forwarding client3
ip address 10.0.10.1 255.255.255.0
!
!
interface Ethernet0/0
ip address 10.10.20.1 255.255.255.248
!
!
interface Ethernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding client1
ip address 192.168.1.1 255.255.255.248
crypto map client1
!
interface Ethernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding client2
ip address 192.168.1.1 255.255.255.248
crypto map client2
!
interface Ethernet0/0.30
encapsulation dot1Q 30
ip vrf forwarding client3
ip address 192.168.10.1 255.255.255.248
crypto map client3
!
!
router eigrp 100
!
address-family ipv4 vrf client1 autonomous-system 100
network 10.0.0.0
network 192.168.0.0 0.0.255.255
exit-address-family
!
address-family ipv4 vrf client2 autonomous-system 100
network 10.0.0.0
network 192.168.0.0 0.0.255.255
exit-address-family
!
address-family ipv4 vrf client3 autonomous-system 100
network 10.0.0.0
network 192.168.0.0 0.0.255.255
exit-address-family
network 10.10.20.0 0.0.0.3