VRF aware IPSec between 2821 & 5505 config help? from Group Study on 2011-03-02 (Ccielab archives 03/2011)

From: Group Study <gs_at_netengineer.org>
Date: Wed, 2 Mar 2011 11:10:56 -0500

Hi Everyone,

So I'm trying to get VRF aware IPSec working between an ASA5505 and
2821. The 2821 is configured with VRFs, Crypto maps, etc. The ASA is
configured for IPSec VPN.

Not sure if my configs are correct... but I don't see isakmp sa. Any
help in troubleshooting would be appreciated...

Thanks.

[2821]
ip vrf CUSTOMER2
rd 2:2
route-target export 2:2
route-target import 2:2
!
ip vrf CUSTOMER3
rd 3:3
route-target export 3:3
route-target import 3:3
!

crypto keyring CUSTOMER3
  pre-shared-key address 172.16.30.3 key vpn2it
crypto keyring CUSTOMER2
  pre-shared-key address 172.16.30.2 key vpn2it
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp profile CUSTOMER3
   description IKE-PH1-CUSTOMER3
   vrf CUSTOMER3
   keyring CUSTOMER3
   match identity address 172.16.30.3 255.255.255.0
crypto isakmp profile CUSTOMER2
   description IKE-PH1-CUSTOMER2
   vrf CUSTOMER2
   keyring CUSTOMER2
   match identity address 172.16.30.2 255.255.255.0
!
!
crypto ipsec transform-set CUSTOMER3 esp-aes esp-sha-hmac
crypto ipsec transform-set CUSTOMER2 esp-aes esp-sha-hmac
!
crypto map C2MAP isakmp-profile CUSTOMER2
!
crypto map C3MAP isakmp-profile CUSTOMER3
!
crypto map CUSTOMER2MAP 1 ipsec-isakmp
set peer 172.16.30.2
set transform-set CUSTOMER2
set pfs group1
set isakmp-profile CUSTOMER2
match address 101
!
crypto map CUSTOMER3MAP 1 ipsec-isakmp
set peer 172.16.30.3
set transform-set CUSTOMER3
set isakmp-profile CUSTOMER3
match address 101
!
interface GigabitEthernet0/0
description ***OUTSIDE***
ip address 172.16.30.4 255.255.255.0
duplex auto
speed auto
crypto map CUSTOMER3MAP
!
interface GigabitEthernet0/1
description **INSIDE**
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.100.254.7 255.255.0.0
!
interface GigabitEthernet0/1.32
encapsulation dot1Q 32
ip vrf forwarding CUSTOMER2
ip address 192.168.2.10 255.255.255.0
!
interface GigabitEthernet0/1.33
encapsulation dot1Q 33
ip vrf forwarding CUSTOMER3
ip address 192.168.2.10 255.255.255.0
!
ip forward-protocol nd
ip route 10.100.0.0 255.255.0.0 10.100.254.10
ip route 10.101.0.0 255.255.0.0 10.101.254.10
ip route 10.200.4.0 255.255.255.0 10.100.254.10
ip route 10.200.4.0 255.255.255.0 10.101.254.10
ip route vrf CUSTOMER3 192.168.1.0 255.255.255.0 172.16.30.3 global
ip route vrf CUSTOMER2 192.168.1.0 255.255.255.0 172.16.30.2 global
ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

[5505]

ASA Version 8.2(1)

names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
ftp mode passive
access-list ACL1 extended permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
access-list ACL1 extended permit ip 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any eq telnet any
access-list 101 extended permit tcp any any eq telnet

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface inside
access-group 101 out interface inside
access-group 101 in interface outside
access-group 101 out interface outside
route outside 0.0.0.0 0.0.0.0 10.101.1.102 1
route outside 10.1.0.0 255.255.0.0 10.100.254.10 1
route outside 10.200.0.0 255.255.0.0 10.100.254.10 1
route outside 10.200.64.0 255.255.255.0 10.100.254.10 1

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MYVPN 1 match address ACL1
crypto map MYVPN 1 set pfs
crypto map MYVPN 1 set peer 172.16.30.4
crypto map MYVPN 1 set transform-set MYSET
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group 172.16.30.100 type ipsec-l2l
tunnel-group 172.16.30.100 ipsec-attributes
pre-shared-key *
tunnel-group 172.16.30.4 type ipsec-l2l
tunnel-group 172.16.30.4 ipsec-attributes
pre-shared-key *

Blogs and organic groups at http://www.ccie.net
Received on Wed Mar 02 2011 - 11:10:56 ART

This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART