RE: IPSEC in a VRF on 1841

Is interface Fa0/1/0 in the VRF table or in the global table? If it's in the global table you need the "global" keyword at the end of your static route. Also you're better off using a VTI for the tunnel as it simplifies the logic of which tunnels are in the global table vs. the VRF table.

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com

Internetwork Expert, Inc.
http://www.INE.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Darlington Ngaiso
Sent: Friday, July 20, 2012 9:57 AM
To: Group Study
Subject: IPSEC in a VRF on 1841

Hi Guys

Im having a problem with setting up a IPSEC VPN within a vrf . I have a similar config running on the 1941 but cant get it to work on the 1841. The Code on the 1841 is c1841-advipservicesk9-mz.124-22.T.bin

ip route vrf TEST 30.30.30.30 255.255.255.255 FastEthernet0/1/0 3.3.3.3

crypto keyring TEST-VRF vrf TEST
  pre-shared-key address 41.75.198.2 key dpdhlpwd

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
 lifetime 28800
!
crypto isakmp policy 40
 encr 3des
 authentication pre-share
 group 5
 lifetime 28800
!

crypto map TEST 100 ipsec-isakmp
 set peer 30.30.30.30
 set security-association lifetime seconds 1800 set transform-set ESP_3DES_SHA match address 105

access-list 105 permit ip host a.b.c d host u.v.x.y

int fas0/1/0
crypto map TEST

The IPSEC tunnel fails to initiate and a debug shows no IPSEC activity at all

regards

regards

Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 20 2012 - 10:33:19 ART