[c-nsp] VRF aware IPSec for remote access without xauth
Ryan Goldberg
RGoldberg at compudyne.net
Wed Feb 3 16:01:06 EST 2010
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Jay Nakamura
> Sent: Tuesday, February 02, 2010 10:20 PM
> To: cisco-nsp
> Subject: [c-nsp] VRF aware IPSec for remote access without xauth
>
> I am trying to configure vrf aware IPSec VPN for remote access, coming
> into one VRF and tunneling into another VRF. Can I do that without
> XAUTH? I can't seem to find any reference to doing it without xauth.
> If it's possible and someone has done this, can you please post a
> sample config?
I believe the following tidbits should get you going. This is from an 2801 running 12.4.24T1. Tunnels lands on vrf ISP2 and pops out into vrf LAN.
ip vrf ISP2
rd 1:2
ip vrf LAN
rd 1:3
crypto keyring ISP2 vrf ISP2
pre-shared-key address a.b.c.d key blahblahblah
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp profile ProfileForNuttyVendor
vrf LAN
keyring ISP2
match identity address a.b.c.d 255.255.255.255 ISP2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map AwesomeMap 3 ipsec-isakmp
description tunnel for Nutty Vendor
set peer a.b.c.d
set transform-set ESP-3DES-SHA
set isakmp-profile ProfileForNuttyVendor
match address 111
reverse-route
interface FastEthernet0/1
ip vrf forwarding LAN
ip address 10.1.19.250 255.255.255.0
nterface FastEthernet0/0
ip vrf forwarding ISP2
ip address w.x.y.z 255.255.255.248
access-list 111 remark Nutty Vendor tunnel
access-list 111 permit ip host 10.3.19.247 10.0.1.0 0.0.0.255
-
Ryan
More information about the cisco-nsp
mailing list