Hello All-
Sorry if this should have gone in the general list. This list seemed like the more technical forum of the two.
I would like to terminate IPSec IPIP tunnels on Cisco ASR equipment. This works when there are no VRFs involved... However in my case, I need to implement the solution using an iVRF/fVRF setup. ISAKMP is not starting in every case I've tried, telling me packets are not showing up where they should. Has anyone tried a setup like this?
I thought the most likely scenario to work follows:
crypto keyring ipip-outside vrf fvrf
pre-shared-key address 192.168.100.6 key ***
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto ipsec transform-set ipip-vpn esp-3des esp-md5-hmac
mode transport
!
crypto isakmp profile test
vrf ivrf
keyring ipip-outside
match identity address 192.168.100.6 255.255.255.255 fvrf
!
crypto map sl-ipip-crypto 10 ipsec-isakmp
description mikrotik-peer
set peer 192.168.100.6
set transform-set ipip-vpn
set pfs group2
set isakmp-profile test
match address mikrotik_peer
interface Tunnel16810032
vrf forwarding ivrf
ip address 192.168.100.34 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 192.168.100.14
tunnel mode ipip
tunnel destination 192.168.100.6
tunnel path-mtu-discovery
tunnel vrf fvrf
!
interface GigabitEthernet0/0
vrf forwarding fvrf
ip address 192.168.100.14 255.255.255.252
crypto map sl-ipip-crypto
-
-
aeaton1843
just joined
- Posts: 5
- Joined:
Re: Cisco fVRF/iVRF Crypto IPIP Tunnel Setup
Well... I was reading the wrong Cisco Documentation. In the end, it appears that there may be some issues with the fVRF/iVRF setup in an IPIP tunnel. Here is a somewhat working crypto config with tunnel and outside interface... If one were to change "vrf forwarding ivrf" to "vrf forwarding fvrf" it will work albeit the routing for me will get quite messy. Is there a reason GRE can't be used here?
interface GigabitEthernet0/0
vrf forwarding fvrf
ip address 192.168.100.14 255.255.255.252
duplex auto
speed auto
crypto map cmap
interface Tunnel16810032
vrf forwarding ivrf
ip address 192.168.100.34 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 192.168.100.14
tunnel mode ipip
tunnel destination 192.168.100.6
tunnel path-mtu-discovery
tunnel vrf fvrf
crypto keyring kr vrf fvrf
pre-shared-key address 192.168.100.6 key *****
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile isaprof
keyring kr
match identity address 192.168.100.6 255.255.255.255 fvrf
!
crypto ipsec security-association idle-time 600
!
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
!
!
crypto map cmap 10 ipsec-isakmp
description IPSec Peer PSAP1
set peer 192.168.100.6
set transform-set tset
set pfs group2
set isakmp-profile isaprof
match address mikrotik_peer
interface GigabitEthernet0/0
vrf forwarding fvrf
ip address 192.168.100.14 255.255.255.252
duplex auto
speed auto
crypto map cmap
interface Tunnel16810032
vrf forwarding ivrf
ip address 192.168.100.34 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 192.168.100.14
tunnel mode ipip
tunnel destination 192.168.100.6
tunnel path-mtu-discovery
tunnel vrf fvrf
crypto keyring kr vrf fvrf
pre-shared-key address 192.168.100.6 key *****
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile isaprof
keyring kr
match identity address 192.168.100.6 255.255.255.255 fvrf
!
crypto ipsec security-association idle-time 600
!
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
!
!
crypto map cmap 10 ipsec-isakmp
description IPSec Peer PSAP1
set peer 192.168.100.6
set transform-set tset
set pfs group2
set isakmp-profile isaprof
match address mikrotik_peer
Who is online
Users browsing this forum: No registered users and 56 guests