[c-nsp] VRF-Aware IPSec for Remote Access

Zahid Hassan zhassan at gmx.net
Mon Nov 5 18:26:42 EST 2007


Hi Fred,


Many thanks for your reply.

I have an interface configured on the PE for the VRF (test-1)
which is configured for the IPSec tunnel.

Will I still need a static VRF aware route with the global keyword
if I have an interface on the same VRF locally configured ?

I can successfully establish an IPSec tunnel from the client but not
being able to PING the interface via the IPSec tunnel on the PE.


Regards,


ZH





-----Original Message-----
From: Fred Reimer [mailto:freimer at ctiusa.com]
Sent: 05 November 2007 22:00
To: Zahid Hassan; Cisco NSP
Subject: RE: [c-nsp] VRF-Aware IPSec for Remote Access


Yes, I have.

I'm not sure what you mean by not being able to access the VRF
interface configured on the same PE.  I used a crypto map entry
per VPN, and not a dynamic map.  For a normal, non dynamic, map
you'd have an ACL that would match the network(s) being encrypted
in the tunnel.  I had to include a static route for each VRF
pointing towards the global routing table next-hop to the
Internet, using the global keyword, to get it to route the
traffic so that it hits the crypto map and encapsulates it.  This
is from memory, so I may have some items wrong.

HTH,

Fred Reimer, CISSP
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Zahid
Hassan
Sent: Monday, November 05, 2007 3:45 PM
To: Cisco NSP Puck Nether Net; Cisco NSP
Subject: [c-nsp] VRF-Aware IPSec for Remote Access

Dear All,


Has anyone successfully implemented VRF-Aware IPSec for Remote
Access ?

I am trying to implement this feature on a PE which has MPLS
enabled
on the Internet facing interface.

With the config below, I am being able to connect but not being
able to
access the VRF interface configured on the same PE.

I will be really grateful for any comment or any pointers for
what could
be possibly wrong with the configuration below:

!
aaa new-model
!
aaa authentication login USER-AUTHENTICATION local
aaa authorization network GROUP-AUTHORISATION local
!
crypto keyring test-1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group test-1
key test-1
domain test.com
pool cpe-1
acl 101
!
crypto isakmp profile test-1
vrf test-1
keyring test-1
match identity group test-1
client authentication list USER-AUTHENTICATION
isakmp authorization list GROUP-AUTHORISATION
client configuration address initiate
client configuration address respond
client configuration group test-1
!
crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
!
ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
!
crypto dynamic-map test-1 1
set transform-set test-1
set isakmp-profile test-1
reverse-route
!

Internet facing interface
----------------------------
interface GigabitEthernet4/0/0
ip address x.x.x.x 255.255.255.240
ip router isis
mpls ip
crypto map IPSEC-AWARE-VRF


Customer facing interface
---------------------------
interface GigabitEthernet1/0/0.1
encapsulation dot1Q 100
ip vrf forwarding test-1
ip address 110.110.110.1 255.255.255.0


Kind regards,

ZH

        
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list