Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
1
Replies

IPSec with vrf and local address

Antonio_1_2
Level 1
Level 1

‎03-24-2009 04:23 AM - edited ‎02-21-2020 04:11 PM

Hello,

I'm trying to establish IPSec tunnel from router Cisco 7200 (IOS 12.4(5a)). Tunnel needs to end on my side in local vrf and peer address is loopback0 address (not the address of outgoing interface which has crypto-map configured on). Here is the config:

ip vrf VPN

rd 10:10

crypto keyring KEY1

pre-shared-key address 192.168.100.1 key 747a592ca7

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp profile PROFILE

vrf VPN

keyring KEY1

match identity address 192.168.100.1 255.255.255.255

local-address Loopback0

crypto ipsec transform-set Medium1 esp-3des esp-sha-hmac

crypto map vpn 100 ipsec-isakmp

set peer 192.168.100.1

set transform-set Medium1

set pfs group2

set isakmp-profile PROFILE1

match address 111

interface Loopback0

ip address 2.2.2.2 255.255.255.255

interface GigabitEthernet0/1

ip address 1.1.1.1 255.255.255.252

crypto map vpn

interface GigabitEthernet0/2

ip vrf forwarding VPN

ip address 10.10.10.1 255.255.255.0

ip route vrf VPN 0.0.0.0 0.0.0.0 1.1.1.2 global

access-list 111 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

Although I have in profile PROFILE1 local-address loopback 0(2.2.2.2), It is still used outgoing interface address 1.1.1.1(one that has crypto-map applied)

protected vrf: VPN

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)

current_peer 192.168.100.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 55, #recv errors 0

local crypto endpt.: 1.1.1.1 remote crypto endpt.: 192.168.100.1

path mtu 1500, ip mtu 1500

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

I even tried to put interface loopback 0 in vrf VPN with

interface Loopback0

ip vrf receive VPN

ip address 2.2.2.2 255.255.255.25

ip policy route-map IDLE

But It didn't help. Does anyone know what could be the problem?

Thanks,

A

Labels:
0 Helpful
1 Reply 1

Antonio_1_2
Level 1
Level 1

‎03-24-2009 04:31 AM

in above config it should be

crypto map vpn 100 ipsec-isakmp

set isakmp-profile PROFILE

and not

crypto map vpn 100 ipsec-isakmp

set isakmp-profile PROFILE1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents