[c-nsp] VRF aware IPSec for remote access without xauth

Bryan Fields Bryan at bryanfields.net
Tue Feb 9 17:18:31 EST 2010

On 2/9/2010 14:41, Jay Nakamura wrote:
> I have not explained my situation very well so let me restart.
> VPN is client VPN, not LAN to LAN.  The old style IPsec Cisco VPN
> client, not Anyconnect client.
> Internet access on the router is on one VRF.  Network we want to
> access via VPN is on another VRF.  See below config.
> I have gotten it to work so far where it will connect, do Xauth, and
> establish connection.  You can see the VPN client IP in the routing
> table of the Customer VRF.  Traffic gets sent to the VPN from the
> client but nothing from the Customer VRF comes back out to the VPN.

Have you thought about doing this using a Virtual-Template so each client
lives on a "real" interface.  This prevents the retarded way packets get
handled when they go out a crypto map on an interface.  All you have to do it
put the template interface in the VRF and it should work.

Now I've never done something this crazy before, but I'm interested to see how
it works.

Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax

More information about the cisco-nsp mailing list