I have a particular setup in mind, but can't get it to work in a GNS3 environment to have it tested before trying it in our production setup.
We have a setup using two VPN routers (3845) with HSRP, BGP and VRF (with rri), using a classical setup with crypto maps, connecting other parties to our DC. We do not manage the peer hardware in these cases.
I'm have been looking into the possibilities to move from this setup, to a setup using SVTI with IPSEC. This change must be transparant to our peers; no config changes should be needed on their component(s).
So I've build our setup in GNS3 (apart from the BGP and VRF) to test this. I have the current IPSEC VPN with crypto maps working in GNS3, with both sides using the same (Cisco) setup in terms of ISAKPM and IPSEC with an ACL.
I've made the changes on "our" HSRP VPN setup according to "IPsec Virtual Tunnel Interface" guide from the Cisco site in GNS3 (can't seem to find the link to the online doc).
It looks like the tunnel is being build, but phase two is not completing, because of, I think, the mismatch between both peers on the ecnryption domain. the VTI side uses routing through the Tunnel interface, sending "IP any any", to the peer, whereas the peer uses a ACL expecting a specifc source and destination.
Here's a debug snippet (ignore the date/time) seen from the peer (using an ACL):
*Mar 1 02:02:45.199: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address xx.xx.xx.xx
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :