Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Map IPSec to MPLS using Radius

Unanswered Question
Dec 28th, 2005
User Badges:

Hi all, I have an IPSec to MPLS solution running on our PE router. Currently IPSec is (Cisco VPN client over the internet) connected with a given VRF based on the group name used. This works, but isn't really ideal for me, it would be much more elegant if forwarding to a particular VRF was based on a user's radius profile. I've done quite a bit of reading on cisco, the only thing I can find is here:


And that's what I'm already running. Is my idea achievable? And if so, is it as simple as setting a VSA on a user's radius profile? Any pointers to documentation or configuration examples would be fantastic! Thanks for the help! Jerome

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
johansens Thu, 12/29/2005 - 02:24
User Badges:
  • Silver, 250 points or more

Hi there Jerome,

I have also been looking for a solution to this, and IIRC I found that the most feasible solution would be to convert to digital certificates.

Like this:

- Let the users apply for certificates for each of the VPN's they want to access

- Assign one certificate for each VPN for each user

- Do matching on some value in the certificate to assign the correct group

This way it's possible to revoke a users access to a specific VPN by revoking his/hers certificate on the CA.

Though I remember when I first implemented IPSec to Multi-VRF I had to use a AVpairs like this:

(from freeradius-config):

Cisco-AVPair == "lcp:interface-config=ip vrf forwarding MYVRF\\n ip unnumbered loopback 10\\n peer default ip address pool MYVRF-RA-POOL"

Did it help?

j.dolphin Thu, 12/29/2005 - 18:59
User Badges:

Hi Stig, thanks for the reponse, I'd prefer to stick with the Radius if possible.

I've added those changes to a test radius account. I'm assuming the Loopback interface referred to is in "MYVRF"?

So, the VPN client connects, but a "show ip route vrf MYVRF" on the IPSec to MPLS router doesn't show a route to the vpn client (I am using reverse-route in the dynamic map). However, "show ip route" shows a route to the VPN client address. This indicates to me it's being installed in the global routing table. Wierd.

j.dolphin Thu, 12/29/2005 - 20:11
User Badges:

And, from the VPN client machine, once logged in, I can indeed ping things in the global routing table. (As opposed to the VRF referred to in the AVPair). Any thoughts?


This Discussion