Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASR1000, Multi VRF and IPSEC VPNs

A colleage is struggling to get two VPNs running in a multi VRF environment.

We have a single link joining two sites, and two VRFs that need to communicate over the single link, and it needs to be encrypted using IPSEC.

We are using OSPF as an RP.

We have two subinterfaces at each end, and are running two GRE tunnels to carry traffic inclusing OSPF, we are then trying to encrypt the tunnels.

Each tunnel is associated with a different VRF. One works, the other does not. I don't have details, but I gather the session is not formed.

The config works when applied to a standard router, but not on the ASR.

Is there anything about the ASR that makes it unusual, or anything basic we are likely to have overlooked?

3 REPLIES
Cisco Employee

Re: ASR1000, Multi VRF and IPSEC VPNs

Paul,

What soft of deployment is this, tunnel protection or crypto maps?

I believe the support for this feature has been added only recently... what software are you running?

Crypto maps have some resttictions.

http://www.cisco.com/en/US/docs/ios/ios_xe/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec_xe_ps11174_TSD_Products_Configuration_Guide_Chapter.html#wp1054100

And my feeling is that the general push is to use SVTI rather than GRE :

http://www.cisco.com/en/US/docs/ios/ios_xe/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_xe_ps11174_TSD_Products_Configuration_Guide_Chapter.html#wp1046681

Hard to say without knowing more details.

Marcin

Re: ASR1000, Multi VRF and IPSEC VPNs

Thanks for the comments - some reading to do there!

We are using crypto maps and SW is 2.4.4.

Paul.

Cisco Employee

Re: ASR1000, Multi VRF and IPSEC VPNs

Hi,

The official support for vrf-aware ipsec wasn't added to IOS XE until RLS2.6, see:

http://www.cisco.com/en/US/docs/ios/ios_xe/2/release/notes/rnasr21.html#wp2731296

Thanks,

Wen

919
Views
0
Helpful
3
Replies