[c-nsp] VRF aware IPSEC

[Brent]

I have an edge Router that I am trying to get up and running as VRF based
IPSEC concentrator. Its currently running Version 12.2(18)SXF17b Adv Ent

Ideally I would like to use Global Loopback IPs to terminate the Peering and
layer 3 Port-channel .1q Sub Interfaces.

 
Specifically I have a 6509-E with RSP720-3BXL's with 2 WS-IPSEC-2G Cards in
the chassis.

crypto engine mode vrf is already enabled on the chassis.

 

Wondering if i am missing anything else.

 

ip VRF TEST1

!

Crytpo keyring TEST1 VRF TEST1

Pre-shared-key address x.x.x.32 key 12345678

!

Crytpo isakmp policy 2000

encr 3DES

authentication pre-share

group2

!

Crypto isakmp profile TEST1

VRF TEST1

keyring TEST1

Match identity address x.x.x.188 TEST1

!

Crypto ipsec transform-set TEST1 esp-3des esp-sha-hmac

!

crypto map TEST1 isakmp-profile TEST1

crypto map TEST1 2000 ipsec-isakmp

set peer x.x.x.188

set transform-set TEST1

set isakmp-profile TEST1

match address 2000

!

interface Port-channel1.2000

encapsulation dot1Q 2000

ip vrf forwarding TEST1

ip address 10.98.0.254 255.255.255.0

end

!

interface Loopback2000

ip address x.x.x.32 255.255.255.255

end

!

 

Access-list 2000 permit ip 10.98.0.0 0.0.0.255 192.168.83.0 0.0.0.255 log

Access-list 2000 permit ip 10.98.0.0 0.0.0.255 192.168.82.0 0.0.0.255 log

access-list 2000 remark "ACCESS LIST USED FOR TEST1 CRYPTOMAP/IPSEC TUNNEL"