[c-nsp] VRF aware IPSec for remote access without xauth

Ryan Goldberg RGoldberg at compudyne.net
Wed Feb 3 16:01:06 EST 2010

> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Jay Nakamura
> Sent: Tuesday, February 02, 2010 10:20 PM
> To: cisco-nsp
> Subject: [c-nsp] VRF aware IPSec for remote access without xauth
> I am trying to configure vrf aware IPSec VPN for remote access, coming
> into one VRF and tunneling into another VRF.  Can I do that without
> XAUTH?  I can't seem to find any reference to doing it without xauth.
> If it's possible and someone has done this, can you please post a
> sample config?

I believe the following tidbits should get you going.  This is from an 2801 running 12.4.24T1.  Tunnels lands on vrf ISP2 and pops out into vrf LAN.

ip vrf ISP2
 rd 1:2

ip vrf LAN
 rd 1:3

crypto keyring ISP2 vrf ISP2
  pre-shared-key address a.b.c.d key blahblahblah

crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2

crypto isakmp profile ProfileForNuttyVendor
   vrf LAN
   keyring ISP2
   match identity address a.b.c.d ISP2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map AwesomeMap 3 ipsec-isakmp
 description tunnel for Nutty Vendor
 set peer a.b.c.d
 set transform-set ESP-3DES-SHA
 set isakmp-profile ProfileForNuttyVendor
 match address 111

interface FastEthernet0/1
 ip vrf forwarding LAN
 ip address

nterface FastEthernet0/0
 ip vrf forwarding ISP2
 ip address w.x.y.z

access-list 111 remark Nutty Vendor tunnel
access-list 111 permit ip host



More information about the cisco-nsp mailing list