Re: IPSEC in a VRF on 1841 from Darlington Ngaiso on 2012-07-21 (Ccielab archives 07/2012)

From: Darlington Ngaiso <ngaissod_at_gmail.com>
Date: Sat, 21 Jul 2012 06:52:34 +0200

Hi Brian

The Interface is part of the VRF TEST.

int fas0/1/0
ip vrf forwarding TEST
crypto map TEST

The reason Im using the VRF is that I want to build two tunnels to the
same IPSEC Gateway 30.30.30.30 but via different providers and seperate
routing to the same IPSEC Gateway 30.30.30.30

regards

On Fri, Jul 20, 2012 at 5:33 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:

> Is interface Fa0/1/0 in the VRF table or in the global table? If it's in
> the global table you need the "global" keyword at the end of your static
> route. Also you're better off using a VTI for the tunnel as it simplifies
> the logic of which tunnels are in the global table vs. the VRF table.
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Darlington Ngaiso
> Sent: Friday, July 20, 2012 9:57 AM
> To: Group Study
> Subject: IPSEC in a VRF on 1841
>
> Hi Guys
>
> Im having a problem with setting up a IPSEC VPN within a vrf . I have a
> similar config running on the 1941 but cant get it to work on the 1841. The
> Code on the 1841 is c1841-advipservicesk9-mz.124-22.T.bin
>
> ip route vrf TEST 30.30.30.30 255.255.255.255 FastEthernet0/1/0 3.3.3.3
>
> crypto keyring TEST-VRF vrf TEST
> pre-shared-key address 41.75.198.2 key dpdhlpwd
>
> crypto isakmp policy 10
> encr 3des
> authentication pre-share
> group 5
> lifetime 28800
> !
> crypto isakmp policy 40
> encr 3des
> authentication pre-share
> group 5
> lifetime 28800
> !
>
> crypto map TEST 100 ipsec-isakmp
> set peer 30.30.30.30
> set security-association lifetime seconds 1800 set transform-set
> ESP_3DES_SHA match address 105
>
> access-list 105 permit ip host a.b.c d host u.v.x.y
>
>
>
> int fas0/1/0
> crypto map TEST
>
>
> The IPSEC tunnel fails to initiate and a debug shows no IPSEC activity at
> all
>
> regards
>
>
>
> regards
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Jul 21 2012 - 06:52:34 ART

This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART