Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VRF and IPSec Tunnel Problem

Status
Not open for further replies.

valarian

Technical User
Aug 23, 2005
25
DE
Hello,

I've got a setup like this:
There is a C7204 in my central site with an E3 line carrying several Frame Relay PVCs, that are defined as sub-ifs of the E3 serial interface. One of those and one of my LAN-facing Fastethernet ports are member of a VRF. The VRF is the only on on the router, all other interfaces and sub-interfaces belong to the global router.
This all works fine, until I want to encrypt the traffic sent over the subif belonging to the VRF.

Here are the relevant parts of the config:

ip vrf test
rd 10:100
!
interface Serial1/0
no ip address
encapsulation frame-relay
no fair-queue
!
interface Serial1/0.110 point-to-point
ip vrf forwarding test
ip address 1.2.3.6 255.255.255.252
frame-relay interface-dlci 110
crypto map testmap
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 1.2.3.5
crypto ipsec transform-set test esp-3des esp-sha-hmac
crypto map testmap
set peer 1.2.3.5
set transform-set test
match address 101
!
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any eq 22 any
access-list 101 permit ip any any

The ACL makes sure SSH traffic is not being encrypted.


As soon as I put the crypto map onto the subif, I cannot
even ping from 1.2.3.5 to 1.2.3.6 (extended ping with source IP given).

I already tried to mess with MTU sizes, as I suppose it may be something like truncated or malformed packets.

Any suggestions?

Thanks a lot
Mike
 
Hello!
I figured it out myself. The key is so-called "vrf-aware ipsec". In my configuration it helped to define the pre-shared keys for isakmp like this:
crypto keyring <keyingname> vrf <vrf-name>
pre-shared-key address <peer-IP> key <secretkey>

I removed the old key definition before defining the keyring.

After this I just had to remove the crypto map on the vrf router and reapply it, to have the new config function.

After this, all went good.

So long,

Mike
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top