Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VRF aware IPSEC

Hello,

Hope anyone can give me an hint .....

My problems is that multi customers, all connected with site-2-site vpn, use the same ip-segments on there lan (ip-overlap) so i need

to do vrf-aware IPSEC as a understand it.

I have setup an testlab but it doesnt work

http://pastebin.org/275189

Can any one help here ?!

Martin

1 REPLY
Cisco Employee

Re: VRF aware IPSEC

Martin,

What do you want to "virtualize"? Are local or remote subnets overlapping?

Taking a look at your config:

--------

  1. crypto keyring KUNDE1 vrf KUNDE1
  2.   pre-shared-key address 150.1.11.17 key vpn-kodeord
  3. crypto isakmp profile KUNDE1
  4.    vrf KUNDE1
  5.    keyring KUNDE1
  6.    self-identity address
  7.    match identity address 150.1.11.17 255.255.255.255 KUNDE1

----------

You're expecting both Inside and Frond VRF to be Kunde1. Ie encapsulated packets should be received on VRF KUNDE1 and also be decapsulated there.

If there is only one overlapp we either:

- Use VRFs (if multiple local subnets are shared), if it's Intenet deployment you use only one Frond VRF.

- NAT if muliple remote subnets are shared (note that NAT is done before encryption)

What kind of deployment did you have in mind

Marcin

197
Views
0
Helpful
1
Replies
CreatePlease to create content