[c-nsp] VRF-Aware IPSec for Remote Access
Zahid Hassan
zhassan at gmx.net
Mon Nov 5 15:44:47 EST 2007
Dear All,
Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?
I am trying to implement this feature on a PE which has MPLS enabled
on the Internet facing interface.
With the config below, I am being able to connect but not being able to
access the VRF interface configured on the same PE.
I will be really grateful for any comment or any pointers for what could
be possibly wrong with the configuration below:
!
aaa new-model
!
aaa authentication login USER-AUTHENTICATION local
aaa authorization network GROUP-AUTHORISATION local
!
crypto keyring test-1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group test-1
key test-1
domain test.com
pool cpe-1
acl 101
!
crypto isakmp profile test-1
vrf test-1
keyring test-1
match identity group test-1
client authentication list USER-AUTHENTICATION
isakmp authorization list GROUP-AUTHORISATION
client configuration address initiate
client configuration address respond
client configuration group test-1
!
crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
!
ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
!
crypto dynamic-map test-1 1
set transform-set test-1
set isakmp-profile test-1
reverse-route
!
Internet facing interface
----------------------------
interface GigabitEthernet4/0/0
ip address x.x.x.x 255.255.255.240
ip router isis
mpls ip
crypto map IPSEC-AWARE-VRF
Customer facing interface
---------------------------
interface GigabitEthernet1/0/0.1
encapsulation dot1Q 100
ip vrf forwarding test-1
ip address 110.110.110.1 255.255.255.0
Kind regards,
ZH
More information about the cisco-nsp
mailing list