VRF aware IPSEC with vrf-lite

Discussion in 'Cisco' started by boozer_2, Aug 20, 2007.

  1. boozer_2

    boozer_2

    Joined:
    Aug 20, 2007
    Messages:
    1
    A lot of firsts for me on this :) But I am trying to link multiple VRF's via IPSEC utilizing one public interface on each side of the tunnel. I do not have MPLS or BGP... Is this what they mean by VRF-lite?

    Everything works individually, but when I add multiple profiles, it matches the last profile in the show run... regardless of which vrf/interface it is mapped to. Sometimes this is correct... majority of the time it is not.

    I can add one profile, send traffic to bring up the SA, then add the next profile, send traffic through that vrf to bring up that SA... and so on until all VRF's have an active SA and everything works in this case... but if I clear all the SA's and try traffic through any vrf, it does not work unless it is the VRF matching the last profile.

    It appears to me that it matches the "match identity" config regardless of what vrf/crypto map/interface the profile is assigned. Can someone see what I might have done wrong?


    ip vrf fvrf
    rd 2:2
    !
    ip vrf fvrfcust
    rd 10:10
    !
    ip vrf fvrfcust2
    rd 68:2
    !
    ip vrf fvrfcust3
    rd 69:3
    !
    ip vrf fvrfcust4
    rd 70:4
    !
    crypto keyring PE1to2key
    pre-shared-key address 1.1.1.4 key pe1to2key
    crypto keyring fvrf vrf fvrf
    description Keyring for FVRF test
    pre-shared-key address 6.6.6.4 key fvrfkey
    !
    crypto isakmp policy 5
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp profile fvrfprof
    description ISAKMP Profile for FVRF test
    vrf fvrfcust
    keyring fvrf
    match identity address 6.6.6.4 255.255.255.255 fvrf
    crypto isakmp profile fvrfcust2
    description ISAKMP Profile for FVRF cust2
    vrf fvrfcust2
    keyring fvrf
    match identity address 6.6.6.4 255.255.255.255 fvrf
    crypto isakmp profile fvrfcust3
    description ISAKMP Profile for FVRF cust3
    vrf fvrfcust3
    keyring fvrf
    match identity address 6.6.6.4 255.255.255.255 fvrf
    crypto isakmp profile fvrfcust4
    description ISAKMP Profile for FVRF cust4
    vrf fvrfcust4
    keyring fvrf
    match identity address 6.6.6.4 255.255.255.255 fvrf
    !
    !
    crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
    !
    crypto map PE2 10 ipsec-isakmp
    set peer 1.1.1.4
    set transform-set 3desmd5
    set isakmp-profile PE1
    match address 100
    !
    crypto map fvrfcust2 local-address FastEthernet0/1.10
    crypto map fvrfcust2 10 ipsec-isakmp
    set peer 6.6.6.4
    set transform-set 3desmd5
    set isakmp-profile fvrfcust2
    match address fvrfcust2
    !
    crypto map fvrfcust3 local-address FastEthernet0/1.10
    crypto map fvrfcust3 10 ipsec-isakmp
    set peer 6.6.6.4
    set transform-set 3desmd5
    set isakmp-profile fvrfcust3
    match address fvrfcust3
    !
    crypto map fvrfcust4 local-address FastEthernet0/1.10
    crypto map fvrfcust4 10 ipsec-isakmp
    set peer 6.6.6.4
    set transform-set 3desmd5
    set isakmp-profile fvrfcust4
    match address fvrfcust4
    !
    crypto map fvrfcustCM local-address FastEthernet0/1.10
    crypto map fvrfcustCM 10 ipsec-isakmp
    set peer 6.6.6.4
    set transform-set 3desmd5
    set isakmp-profile fvrfprof
    match address FVRFCustACL
    !

    Thanks!
     
    boozer_2, Aug 20, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. keithb

    Multi-vrf to Multi-vrf

    keithb, May 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    2,405
    Christophe Fillot
    May 10, 2004
  2. dopy

    VRF Lite installation

    dopy, Jun 29, 2005, in forum: Cisco
    Replies:
    0
    Views:
    3,111
  3. mcaissie

    VRF aware IPSEC

    mcaissie, Nov 30, 2005, in forum: Cisco
    Replies:
    3
    Views:
    9,433
  4. AM

    VRF and VRf-lite.

    AM, Sep 18, 2006, in forum: Cisco
    Replies:
    3
    Views:
    31,416
    peart
    Feb 15, 2009
  5. ngurjar
    Replies:
    0
    Views:
    1,844
    ngurjar
    Oct 11, 2008
Loading...

Share This Page