Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Map IPSec to MPLS using Radius

Hi all, I have an IPSec to MPLS solution running on our PE router. Currently IPSec is (Cisco VPN client over the internet) connected with a given VRF based on the group name used. This works, but isn't really ideal for me, it would be much more elegant if forwarding to a particular VRF was based on a user's radius profile. I've done quite a bit of reading on cisco, the only thing I can find is here:

And that's what I'm already running. Is my idea achievable? And if so, is it as simple as setting a VSA on a user's radius profile? Any pointers to documentation or configuration examples would be fantastic! Thanks for the help! Jerome


Re: Map IPSec to MPLS using Radius

Hi there Jerome,

I have also been looking for a solution to this, and IIRC I found that the most feasible solution would be to convert to digital certificates.

Like this:

- Let the users apply for certificates for each of the VPN's they want to access

- Assign one certificate for each VPN for each user

- Do matching on some value in the certificate to assign the correct group

This way it's possible to revoke a users access to a specific VPN by revoking his/hers certificate on the CA.

Though I remember when I first implemented IPSec to Multi-VRF I had to use a AVpairs like this:

(from freeradius-config):

Cisco-AVPair == "lcp:interface-config=ip vrf forwarding MYVRF\\n ip unnumbered loopback 10\\n peer default ip address pool MYVRF-RA-POOL"

Did it help?

Community Member

Re: Map IPSec to MPLS using Radius

Hi Stig, thanks for the reponse, I'd prefer to stick with the Radius if possible.

I've added those changes to a test radius account. I'm assuming the Loopback interface referred to is in "MYVRF"?

So, the VPN client connects, but a "show ip route vrf MYVRF" on the IPSec to MPLS router doesn't show a route to the vpn client (I am using reverse-route in the dynamic map). However, "show ip route" shows a route to the VPN client address. This indicates to me it's being installed in the global routing table. Wierd.

Community Member

Re: Map IPSec to MPLS using Radius

And, from the VPN client machine, once logged in, I can indeed ping things in the global routing table. (As opposed to the VRF referred to in the AVPair). Any thoughts?

CreatePlease to create content