Hello All-
Sorry if this should have gone in the general list. This list seemed like the more technical forum of the two.
I would like to terminate IPSec IPIP tunnels on Cisco ASR equipment. This works when there are no VRFs involved... However in my case, I need to implement the solution using an iVRF/fVRF setup. ISAKMP is not starting in every case I've tried, telling me packets are not showing up where they should. Has anyone tried a setup like this?
I thought the most likely scenario to work follows:
crypto keyring ipip-outside vrf fvrf
pre-shared-key address 192.168.100.6 key ***
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto ipsec transform-set ipip-vpn esp-3des esp-md5-hmac
mode transport
!
crypto isakmp profile test
vrf ivrf
keyring ipip-outside
match identity address 192.168.100.6 255.255.255.255 fvrf
!
crypto map sl-ipip-crypto 10 ipsec-isakmp
description mikrotik-peer
set peer 192.168.100.6
set transform-set ipip-vpn
set pfs group2
set isakmp-profile test
match address mikrotik_peer
interface Tunnel16810032
vrf forwarding ivrf
ip address 192.168.100.34 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 192.168.100.14
tunnel mode ipip
tunnel destination 192.168.100.6
tunnel path-mtu-discovery
tunnel vrf fvrf
!
interface GigabitEthernet0/0
vrf forwarding fvrf
ip address 192.168.100.14 255.255.255.252
crypto map sl-ipip-crypto