site to site vpn terminating on vrf interface

philbe · ‎10-09-2014

hi

i have to create a site to site vpn for an ASA to a C3945 (15.2) router.

I'm used to site to site vpns, just not the VRF part.

I'm configuring a sub-interface on the 3945 that is part of a vrf.

I'm just checking my config is going in the correct direction ..... any advice appreciated.

!

ip vrf customervrf
rd 172.17.173.226:1
!
crypto keyring vpn-customer-keyring vrf customervrf
pre-shared-key address a.b.c.d key NEW-KEY
!
crypto isakmp profile customer-tunnel-isakmp
vrf customervrf
keyring vpn-customer-keyring
match identity address a.b.c.d customervrf
!
crypto ipsec transform-set vpn-customer-transform esp-aes esp-sha-hmac
! mode tunnel
!
access-list vpn-customer-asa-acl extended permit ip 10.17.200.0 255.255.255.0 192.168.0.0 255.255.255.0
!
crypto map customer-crypto-map 10 ipsec-isakmp
set peer a.b.c.d
set transform-set vpn-customer-transform
set isakmp-profile customer-tunnel-isakmp
match address vpn-customer-asa-acl
! set pfs group2
! reverse-route remote-peer static
!
!
interface GigabitEthernet0/0.12
encapsulation dot1Q 12
ip vrf forwarding customervrf
ip address 10.17.173.226 255.255.255.240
crypto map customer-crypto-map
no shut

ghostinthenet · ‎10-10-2014

You're mostly there, but things get confusing depending on whether the interface that hosts the tunnel is in a VRF and/or the tunnel terminates on a VRF.

The "vrf customervrf" isn't needed on your keyring if you're just terminating the tunnel on the VRF. The "vrf customervrf" statement for that piece is only used if the interface hosting the tunnel is in a VRF, so this is going to keep your phase 1 from coming up.

You also don't need the "crypto map customer-crypto-map" statement on your GigabitEthernet0/0.12 interface. That should be applied to the interface facing the VPN peer.

I'm running under the assumption that you're only wanting to terminate the VPN on the VRF and that the route to the other end of the tunnel is in your global routing table. Please correct me if I'm wrong on that.

philbe · ‎10-13-2014

hi

thanks for the respones.

i'm terminating the tunnel on the GigabitEthernet0/0.12, which is in a vrf. This interface has a NAT on the firewall to a public IP for the peer address.

The customer will then route to other networks within the global route table.

So just to confirm, i can remove the "vrf customervrf" from the keyring?

Where do i apply the "crypto map customer-crypto-map" statement? I guessed it would be on the g0/0.12 as this is the outgoing interface, with the NAT to the public ip.

many thanks for the help

phil

ghostinthenet · ‎10-13-2014

The VRF keyword on the letting can be removed unless the peer address is reached through that VRF.

From the looks of your configuration GigabitEthernet0/0.12 is the incoming interface for your VRF, not the outgoing interface for the peer. Assuming that the peer is across the Internet, the crypto map should be on the interface that holds the route to the peer. This will usually be your Internet-facing interface.

philbe · ‎10-13-2014

This is a router on a stick config that goes straight to a checkpoint fw, that is doing the nat, so i'm not completely sure if that makes it the inbound or outgoing i/f.

I'll probably implement it in a couple of weeks time and test.

Really appreciate the help Jody, thanks

ghostinthenet · ‎10-14-2014

In this case, it would make it both. :)

If the peer is being reached via GigabitEthernet0/0.12, then the vrf keyword is going to need to go back on the key ring and the crypto map will need to be applied to the GigabitEthernet0/0.12 interface again.