Hi,
I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:
FVRF=VRF1 and IVRF=global, no VRF
there are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't receive echo reply
Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.0.1 10.0.0.2 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
r1#sh cry
r1#sh crypto ip
r1#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: MAPA, local addr 10.0.0.1
protected vrf: FVRF
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xCF660D5A(3479571802)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x66992BE3(1721314275)
r1#
I added static routes on r1 and r2 but apparently I missed something else:
r1:
ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2
r2:
ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1
Any suggestions?
Hubert
