Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VTI IPsec VRF aware peer-to-peer config

Hello,


Hi would like to set up peer-to-perr VPN connection between 2 VRF (Global and X) with VTI and VRF aware feature.
At the momento I'm using 2 IP on public interface (primary and secondary) that are used as VPN peer for VRF global
IPsec and X vrf IPsec termination, this Because I'm not able to configure the two VRF isakmp/IPsec profile on a single public IP.
Does someone has an ideo how to differnciate the 2 IPsec tunnel without to configure secondary IPs ?

here the config of RTR1 that works with 2 public IP (RTR2 is configured in a simmetric way)...


!
crypto keyring Globalkeyring
  pre-shared-key address 1.1.1.3 key cisco
!
crypto keyring Xkeyring
  pre-shared-key address 1.1.1.4 key cisco1
!
crypto isakmp profile Global-isakmp
   keyring Globalkeyring
   match identity address 1.1.1.3 255.255.255.255
   keepalive 10 retry 5

crypto isakmp profile X-isakmp
   keyring Xkeyring
   match identity address 1.1.1.4 255.255.255.255
   keepalive 10 retry 5
!
crypto ipsec transform-set TI-Netset1 esp-3des esp-sha-hmac
!
crypto ipsec profile Global-profile
set transform-set TI-Netset1
set isakmp-profile X-isakmp
!
crypto ipsec profile X-profile
set transform-set TI-Netset1
set isakmp-profile X-isakmp
!
!
interface Tunnel506
ip address 10.47.3.101 255.255.255.252
keepalive 1 5
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 1.1.1.3
tunnel protection ipsec profile Global-profile
!
interface Tunnel1506
ip vrf forwarding X
ip address 10.47.229.101 255.255.255.252
keepalive 1 5
tunnel source 1.1.1.2
tunnel mode ipsec ipv4
tunnel destination 1.1.1.4
tunnel protection ipsec profile X-profile
!
!
interface GigabitEthernet0/1
description External
ip address 1.1.1.1 255.255.255.0 secondary
ip address 1.1.1.2 255.255.255.0
duplex auto
speed auto
!
!

3 REPLIES
New Member

VTI IPsec VRF aware peer-to-peer config

Did you get this to work?

VTI IPsec VRF aware peer-to-peer config

You could use front end vrf with VPN

See the bellow link even if you are using vti not dmvpn still same concept of the tunnel and vrf

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

Hope this help

If helpful rate

New Member

VTI IPsec VRF aware peer-to-peer config

Maybe you could help me out .  I will explain the situation and what I want to setup:

The configuration needs to be similiar to this Configuration Template but will need a second tunnel included for backup.  (**Note:  For each tunnel I am required to use a different tunnel source.  Each source being a WAN ip address.**)

crypto isakmp policy 1

encryption [ENCRYPTION TYPE]

hash [HASH TYPE]

authentication pre-share

group 2

crypto isakmp key [SECRET] address [REMOTE IP]

!

crypto ipsec transform-set [NAME] [TRANSFORM 1]

mode transport

!

crypto map [MAP NAME] 10 ipsec-isakmp

set peer peer [REMOTE IP ADDRESS]

set transform-set [TRANSFORM-SET NAME]

match address [ACCESS-LIST NUMBER OR NAME]

!

access-list [ACL NUMBER OR NAME] permit gre host

[LOCAL IP] host [REMOTE IP]

!

interface [INTERFACE NAME/NUMBER]

ip address [LOCAL IP]

crypto map [MAP NAME]

!

interface Tunnel0

ip address [LOCAL TUNNEL IP] 255.255.255.252

tunnel source [LOCAL INTERFACE IP]

tunnel destination [REMOTE IP]

!

router bgp [LOCAL AS NUMBER]

neighbor [VZW TUNNEL IP] remote-as 22394

network [INTERNAL NETWORK] mask [MASK]

The are the Requirements given to me from the vendor we are working with:

The IPSec tunnel endpoint and GRE tunnel endpoints must both reside on the same physical customer device.

BGP peering relationship between each Private Network connecting via VPN.

GRE is required because:

Allows for passing non-IP traffic (including Multicast, etc)

Creates a logical WAN Interface (with a /30 customer provided network).

Allows the Enterprise to extend their internal private network to the Wireless Private Network router.

Allows for simple EBGP peering at the GRE tunnel endpoints.

The Enterprise can make changes to their IP addressing without needing to notify Wireless Vendor.

Thanks.  Any help would be greatly appreciated.  Thanks.

1566
Views
0
Helpful
3
Replies
CreatePlease to create content