[c-nsp] VRF-Aware IPSec for Remote Access
Fred Reimer
freimer at ctiusa.com
Mon Nov 5 16:59:50 EST 2007
Yes, I have.
I'm not sure what you mean by not being able to access the VRF
interface configured on the same PE. I used a crypto map entry
per VPN, and not a dynamic map. For a normal, non dynamic, map
you'd have an ACL that would match the network(s) being encrypted
in the tunnel. I had to include a static route for each VRF
pointing towards the global routing table next-hop to the
Internet, using the global keyword, to get it to route the
traffic so that it hits the crypto map and encapsulates it. This
is from memory, so I may have some items wrong.
HTH,
Fred Reimer, CISSP
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Zahid
Hassan
Sent: Monday, November 05, 2007 3:45 PM
To: Cisco NSP Puck Nether Net; Cisco NSP
Subject: [c-nsp] VRF-Aware IPSec for Remote Access
Dear All,
Has anyone successfully implemented VRF-Aware IPSec for Remote
Access ?
I am trying to implement this feature on a PE which has MPLS
enabled
on the Internet facing interface.
With the config below, I am being able to connect but not being
able to
access the VRF interface configured on the same PE.
I will be really grateful for any comment or any pointers for
what could
be possibly wrong with the configuration below:
!
aaa new-model
!
aaa authentication login USER-AUTHENTICATION local
aaa authorization network GROUP-AUTHORISATION local
!
crypto keyring test-1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group test-1
key test-1
domain test.com
pool cpe-1
acl 101
!
crypto isakmp profile test-1
vrf test-1
keyring test-1
match identity group test-1
client authentication list USER-AUTHENTICATION
isakmp authorization list GROUP-AUTHORISATION
client configuration address initiate
client configuration address respond
client configuration group test-1
!
crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
!
ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
!
crypto dynamic-map test-1 1
set transform-set test-1
set isakmp-profile test-1
reverse-route
!
Internet facing interface
----------------------------
interface GigabitEthernet4/0/0
ip address x.x.x.x 255.255.255.240
ip router isis
mpls ip
crypto map IPSEC-AWARE-VRF
Customer facing interface
---------------------------
interface GigabitEthernet1/0/0.1
encapsulation dot1Q 100
ip vrf forwarding test-1
ip address 110.110.110.1 255.255.255.0
Kind regards,
ZH
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5188 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20071105/5c971267/attachment.bin
More information about the cisco-nsp
mailing list