VRF Aware Crypto Map

martin.schwab.computer · ‎03-03-2014

Hi,

I´ve a VPN Router with VRF´s for every customer and also for the Internet Connection.
On the Router run many DMVPN´s and Static VTI.

Now I must configure a new VPN based on a crypto map.
I´ve read that it´s impossible to termnate a crypto map an a VTI on the same physical interface.

So I´ve installed a new physical interface to terminate the crypto map.

This are the configuration which insert to the running configuration:

crypto keyring KEYRING-Customer vrf OUTSIDE_CM
pre-shared-key address a.b.c.d key KEY

crypto isakmp policy 100
encr aes 256
hash sha1
group 14
authentication pre-share

ip access-list exten ACL-Customer
10 permit ip 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255

crypto isakmp profile Customer

keyring KEYRING-Customer
match identity address a.b.c.d 255.255.255.255 OUTSIDE_CM
local-address Gig0/0
vrf Customer

crypto map CMAP 10 ipsec-isakmp
set peer a.b.c.d
set transform-set AES256
set isakmp-profile Customer
match address ACL-Customer
set pfs group14

int gig0/0
vrf forwarding Customer
ip address 1.2.3.4 255.255.255.0
crypto map CMAP

But I see nothing on the router. Whit debug crypto isakmp i can´t see any traffic for this VPN.

Where is my mistake ?
The OUTSIDE_CM VRF ist the VRF for WWW traffic.

The Customer VRF ist the Customer LAN.

Many Thanks

BR Martin

Marcin Latosiewicz · ‎03-03-2014

Martin,

The way you applied crypto map you're indicating encrypted traffic will arrive on Customer VRF. Your config and decription indicate this is not the case.

Also make sure you have routes leaked (via static routing or RRI) in Customer VRF.

Out of curiosity, why not use VRF awareness with VTI?

M.

martin.schwab.computer · ‎03-04-2014

Marcin,

the reason why I don´t use VTI in this case is very simple. I transfer the old VPN from a PIX and im not shure
if it possible to run this VPN with VTI, because the other side is not configured from us.

An it´s not a cisco device. What do you think.... When I´ve try to use a VTI, how the other side is checking the Crypto map ? Because, normaly, when a ASA for Example builds a VPN the device´s check which crypto map is configured on the other side and if the crypto map isn´t idetical, the VPN doesn´t came up.....

Thank´s for your help. It´s my first Router with VPN´s. Normally I use ASA´s. But I think with a router we are more flexible... QoS, OSPF etc....

BR M

Marcin Latosiewicz · ‎03-04-2014

Martin,

Indeed routers offer way more possibilities.

In the example you mentioned, you can use multi-SA DVTI (supported from 15.2(4)M AFAIR), however in this case you can only terminate, not initiate.

Stick with your crypto map idea for the time being, just remember that crypto map always goes to "outside" interface, same way it does on ASA.

There were discussions to change this paradigm, in which case your scenario would have worked, but with advent of tunnel protection this was shelved.

M.

martin.schwab.computer · ‎03-07-2014

Hi,

now I know the other side is a Sophos UTM9.
The other Adamin told me, that the Aplliance only supports policy based VPN.

So I can´t use VTI....

But I think my prolem is the route leeking between the VRF´s.

Because, with the VTI´s I didn´t need route leeking.

Is it enough to configure in the outside and customer vrf´s route traget export and import ?

But it must be secure, that I can´t route normal, unencrypted traffic from the customer vrf to the www.

Many thanks

martin

Marcin Latosiewicz · ‎03-07-2014

Martin,

You can use RRI to route the networks on the opposite side.

A example:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-rev-rte-inject.html#GUID-DEBFE993-16DF-4599-946A-1B7A42521C92

It's not the best to be honest :{

M.