Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VRF aware VPN

Hi,

I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:

FVRF=VRF1 and IVRF=global, no VRF

there  are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I  ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't  receive echo reply

Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)

11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22

r1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

10.0.0.1        10.0.0.2        QM_IDLE           1003 ACTIVE

IPv6 Crypto ISAKMP SA

r1#sh cry

r1#sh crypto ip

r1#sh crypto ipsec sa

interface: GigabitEthernet0/0

    Crypto map tag: MAPA, local addr 10.0.0.1

   protected vrf: FVRF

   local  ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)

   current_peer 10.0.0.2 port 500

     PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0xCF660D5A(3479571802)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x66992BE3(1721314275)

r1# 

I added static routes on r1 and r2 but apparently I missed something else:

r1:

ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2

r2:

ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1

Any suggestions?

Hubert

  • VPN
3 REPLIES
Bronze

VRF aware VPN

Do you have a route back from the vrf to the global? This would be a static including the vrf.

New Member

Re: VRF aware VPN

Hi,

yes, I have the static route:

r1#sh run | i route

ip source-route

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.0.2

r1#sh ip ro

r1#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 10.0.0.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.0.0.2, GigabitEthernet0/0

      11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        11.11.11.0/24 is directly connected, Loopback1

L        11.11.11.11/32 is directly connected, Loopback1

r1#sh ip route vr

r1#sh ip route vrf FVRF

Routing Table: FVRF

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.0.0.0/24 is directly connected, GigabitEthernet0/0

L        10.0.0.1/32 is directly connected, GigabitEthernet0/0

r1#

The problem is I can't specify 'global' vrf in the route statement. When I tested a bit different case scenario everything worked fine:

a) Loop1 (vrf=IVRF) -- gig0/0 (global vrf) <-> gig0/0 (global vrf) -- Loop1 (vrf=IVRF)

  11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22

I just added:

ip route vrf IVRF 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2 global

b) With 2 VRFs:

Loop1 (vrf=IVRF) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (vrf=IVRF)

11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22

I added:

ip route vrf FVRF 0.0.0.0 0.0.0.0 10.0.0.1

ip route vrf IVRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.0.0.1

So, the problem I have, is only when Loopback interfaces are in global VRF and physical interfaces vrf=FVRF:

Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)

11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22

I wonder if Cisco supports such scenario.

New Member

VRF aware VPN

I found a way to accomplish it – the solution is ipsec profile

r1#sh crypto session  detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection   

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation    

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel1

Profile: ISAKMP-PRF

Uptime: 00:04:16

Session status: UP-ACTIVE    

Peer: 10.0.0.2 port 500 fvrf: FVRF ivrf: (none)

      Phase1_id: 10.0.0.2

      Desc: (none)

  IKE SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active

          Capabilities:(none) connid:1006 lifetime:23:55:43

  IPSEC FLOW: permit 47 host 10.0.0.1 host 10.0.0.2

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 10 drop 0 life (KB/Sec) 4469482/3343

        Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4469482/3343

392
Views
0
Helpful
3
Replies