RE: VPN to a VRF?

Evan,

Terminate the VPN connection with a SVTI. this will allow it to be a part
of the VRF. No changes necessary on the remote END. Still static site to
site tunnel.

interface Virtual-Template 1 type tunnel
 ip vrf XXX
 ip unnumbered XXX
 tunnel mode ipsec ipv4
 tunnel protection profile ipsec XXX

crypto isakmp profile L2L
 match address <peer-IP>
 virtual-template 1

crypto ipsec transform-set 3DES esp-3des esp-md5-hmac

crypto ipsec profile XXX
 set peer x.x.x.x
 set isakmp-profile L2L
 set transform-set 3DES

So on and so forth. I don't have this on a console so I may be missing some
stuff but this should be the start of it atleast.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
ron.wilkerson_at_gmail.com
Sent: Thursday, February 04, 2010 9:23 PM
To: Evan Weston; ccielab_at_groupstudy.com
Subject: Re: VPN to a VRF?

Just configure vrf aware ipsec on r1
-----Original Message-----
From: "Evan Weston" <evan_weston_at_hotmail.com>
Date: Fri, 5 Feb 2010 11:57:29
To: <ccielab_at_groupstudy.com>
Subject: VPN to a VRF?

Hi all,

In a lab I have a simple VPN between 2 routers back to back:

R1

int fa0/0

ip add 10.100.12.1 255.255.255.0

!

int lo0

ip add 1.1.1.1 255.255.255.0

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp key CLIENT1 address 10.100.12.2

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map VPN_CMAP 10 ipsec-isakmp

 set peer 10.100.12.2

 set transform-set ESP-3DES-SHA

 match address TO_CLIENT

!

interface fa0/0

 crypto map VPN_CMAP

!

ip access-list extended TO_CLIENT

 permit ip host 1.1.1.1 host 2.2.2.2

!

ip route 0.0.0.0 0.0.0.0 10.100.12.2

R2

int fa0/0

ip add 10.100.12.2 255.255.255.0

!

int lo0

ip add 2.2.2.2 255.255.255.0

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp key CLIENT1 address 10.100.12.1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map VPN_CMAP 10 ipsec-isakmp

 set peer 10.100.12.1

 set transform-set ESP-3DES-SHA

 match address TO_SERVER

!

interface fa0/0

 crypto map VPN_CMAP

!

ip access-list extended TO_SERVER

 permit ip host 2.2.2.2 host 1.1.1.1

!

ip route 0.0.0.0 0.0.0.0 10.100.12.1

Say if I wanted to take the loopback0 interface on R1 and put it in a
different VRF table so on R1:

ip vrf TEST_VRF

rd1:1

int lo0

ip vrf forwarding TEST_VRF

ip address 1.1.1.1 255.255.255.255

Is there a way I can modify my VPN so I can still have 1.1.1.1 and 2.2.2.2
talk to each other or do I need to go for easy VPN at this point?

Cheers!

Evan

Blogs and organic groups at http://www.ccie.net
Received on Thu Feb 04 2010 - 22:13:52 ART