VRF aware VPN

hubertzw · ‎01-17-2014

Hi,

I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:

FVRF=VRF1 and IVRF=global, no VRF

there are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't receive echo reply

Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)

11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22

r1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.0.0.1 10.0.0.2 QM_IDLE 1003 ACTIVE

IPv6 Crypto ISAKMP SA

r1#sh cry

r1#sh crypto ip

r1#sh crypto ipsec sa

interface: GigabitEthernet0/0

Crypto map tag: MAPA, local addr 10.0.0.1

protected vrf: FVRF

local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)

current_peer 10.0.0.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0xCF660D5A(3479571802)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x66992BE3(1721314275)

r1#

I added static routes on r1 and r2 but apparently I missed something else:

r1:

ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2

r2:

ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1

Any suggestions?

Hubert

m.kafka · ‎01-19-2014

Do you have a route back from the vrf to the global? This would be a static including the vrf.

hubertzw · ‎01-19-2014

Hi,

yes, I have the static route:

r1#sh run | i route

ip source-route

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.0.2

r1#sh ip ro

r1#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 10.0.0.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.0.2, GigabitEthernet0/0

11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 11.11.11.0/24 is directly connected, Loopback1

L 11.11.11.11/32 is directly connected, Loopback1

r1#sh ip route vr

r1#sh ip route vrf FVRF

Routing Table: FVRF

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.0.0.0/24 is directly connected, GigabitEthernet0/0

L 10.0.0.1/32 is directly connected, GigabitEthernet0/0

r1#

The problem is I can't specify 'global' vrf in the route statement. When I tested a bit different case scenario everything worked fine:

a) Loop1 (vrf=IVRF) -- gig0/0 (global vrf) <-> gig0/0 (global vrf) -- Loop1 (vrf=IVRF)

11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22

I just added:

ip route vrf IVRF 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2 global

b) With 2 VRFs:

Loop1 (vrf=IVRF) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (vrf=IVRF)

11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22

I added:

ip route vrf FVRF 0.0.0.0 0.0.0.0 10.0.0.1

ip route vrf IVRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.0.0.1

So, the problem I have, is only when Loopback interfaces are in global VRF and physical interfaces vrf=FVRF:

Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)

11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22

I wonder if Cisco supports such scenario.

hubertzw · ‎01-19-2014

I found a way to accomplish it – the solution is ipsec profile

r1#sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel1

Profile: ISAKMP-PRF

Uptime: 00:04:16

Session status: UP-ACTIVE

Peer: 10.0.0.2 port 500 fvrf: FVRF ivrf: (none)

Phase1_id: 10.0.0.2

Desc: (none)

IKE SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active

Capabilities:(none) connid:1006 lifetime:23:55:43

IPSEC FLOW: permit 47 host 10.0.0.1 host 10.0.0.2

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 10 drop 0 life (KB/Sec) 4469482/3343

Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4469482/3343