Solved: 7600 VPN with VRF

Keith McElroy · ‎12-14-2011

This seems straight forward, haven't had any luck yet. On c7600s72033-adventerprisek9-mz.122-33.SRC3.bin with 2 Gbps IPSec SPA SPA-IPSEC-2G

I am wanting to terminate the tunnel onto a public IP on a loopback interface in the global routing table. From there, the interesting traffic is actually in a VRF on two separate VLANs. This is being done with crypto maps as the customer is using an ASA. Right now the crypto map is on the VLANs and the crypto engine slot inside command is on them with the outside command on the loopback.

crypto engine mode vrf

crypto keyring Test

pre-shared-key address "peer IP" key "password string"

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp profile Test

vrf Test

keyring Test

match identity address "public IP" 255.255.255.255

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto map IPSEC local-address Loopback1

crypto map IPSEC 10 ipsec-isakmp

set peer "public IP"

set transform-set 3DES-MD5

set isakmp-profile Test

match address ACL

interface Loopback1

ip address "public IP" 255.255.255.255

crypto engine slot 7/0 outside

interface Vlan 2

ip vrf forwarding Test

ip address "private IP" 255.255.255.248

crypto map IPSEC

crypto engine slot 7/0 inside

There is my config, I have rebooted after putting in the "crypto engine mode vrf" command. Below is the debug. I have sanitized the IPs since this is for a customer.

11:48:18: ISAKMP (0): received packet from "public IP" dport 500 sport 500 Global (N) NEW SA

11:48:18: ISAKMP: Created a peer struct for "public IP", peer port 500

11:48:18: ISAKMP: New peer created peer = 0x5B1C95AC peer_handle = 0x800008C0

11:48:18: ISAKMP: Locking peer struct 0x5B1C95AC, refcount 1 for crypto_isakmp_process_block

11:48:18: ISAKMP: local port 500, remote port 500

11:48:18: ISAKMP: Unable to allocate IKE SA

11:48:18: ISAKMP: Unlocking peer struct 0x5B1C95AC for isadb_unlock_peer_delete_sa(), count 0

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine SPA-IPSEC-2G[7/0] details: state = Active

Capability :

IPSEC: DES, 3DES, AES, RSA

IKE-Session : 0 active, 16383 max, 0 failed

DH : 0 active, 9999 max, 0 failed

IPSec-Session : 0 active, 65534 max, 0 failed

Does anyone have any ideas why it is throwing that error?

Marcin Latosiewicz · ‎12-14-2011

Have a looks at example - it's almost exactly what you're looking for.

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76cfvpna.html#wp2028452

Loopback is NOT the correct interface to apply crypto engine outside to.

"outside" identifies interface where encrypted packet are going out and in through (this is where we will do TCAM entry to redirect traffic to SPA module) - it's the first L3 interface - usually a SVI.

crypto map testtag local-address Vlan3 <--- need to change this to your loopback.

You should not apply any crypto features to loopback - although we do allow crypto to be source from loopback via local-address.

HTH,

M.

(edit: sorry didn't pay close attentiont o your current config, major thing you need to change is apply crypto engine outside to first L3 interface in global VRF).

View solution in original post

Marcin Latosiewicz · ‎12-14-2011