Thursday, November 26, 2009

VRF aware Site-to-Site IPSec

Cisco introduced new configuration guidelines for VRF aware IPSec. I spent a day worth and finally got it working. The understanding of Front Door VRF (FVRF) and and Inside VRF (IVRF) is key. Each IPsec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which Cisco called it FVRF. The inner & encrypted IP packet belongs to another domain called the IVRF.

Part 1 is the base configuration without any IPSec. I'm using Loopback interface to simulate internal trusted network address (e.g. LAN). GRE tunnel is setup to bridge 2 separate LANs. In part 2, IPSec profile is applied to encrypt GRE tunnel (a.k.a GRE over IPSec).

Part 1 - Base Configuration
hostname Router1
ip vrf FVRF
rd 0:0
!
ip vrf IVRF
rd 1:1
!
interface Loopback0 # internal address
ip vrf forwarding IVRF
ip address 192.168.255.1 255.255.255.255
!
interface Tunnel0
ip vrf forwarding IVRF
ip add 192.168.1.1 255.255.255.252
tunnel source Serial1/0
tunnel destination 192.168.1.2
tunnel vrf FVRF
!
interface Serial1/0
ip vrf forwarding FVRF
ip address 192.168.1.1 255.255.255.252
!
ip route vrf IVRF 192.168.255.2 255.255.255.255 Tunnel0

----
hostname Router2
ip vrf FVRF
rd 0:0
!
ip vrf IVRF
rd 1:1
!
interface Loopback0
ip vrf forwarding IVRF
ip address 192.168.255.2 255.255.255.255
!
interface Tunnel0
ip vrf forwarding IVRF
ip add 192.168.1.2 255.255.255.252
tunnel source Serial1/0
tunnel destination 192.168.1.1
tunnel vrf FVRF
!
interface Serial1/0
ip vrf forwarding FVRF
ip address 192.168.1.2 255.255.255.252
!
ip route vrf IVRF 192.168.255.1 255.255.255.255 Tunnel0

Part 2 - IPSec related crypto configuration
Router1
crypto keyring vpnKey vrf FVRF
pre-shared-key add 192.168.1.2 key vpnkey
no crypto xauth s1/0 #exempt extended authentication for physical interface
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp profile isaPro
vrf FVRF
keyring vpnKey
match identity add 192.168.1.2 255.255.255.255 FVRF
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto ipsec profile ipsecPro
set transform myset
set isakmp-profile isaPro
!
int Tunnel0
tunnel mode ipsec ipv4 #apply IPSec to protect GRE tunnel
tunnel protection ipsec profile ipsecPro
!
-------

Router2
crypto keyring vpnKey vrf FVRF
pre-shared-key add 192.168.1.1 key vpnkey
!

no crypto xauth s1/0
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp profile isaPro
vrf FVRF
keyring vpnKey
match identity add 192.168.1.1 255.255.255.255 FVRF
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto ipsec profile ipsecPro
set transform myset
set isakmp-profile isaPro
!
int Tunnel0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecPro



Verification
Router1#ping vrf IVRF 192.168.255.2 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.255.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.255.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 372/429/512 ms

Router1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

Router1#sh crypto session
Crypto session current status

Interface: Tunnel0
Profile: isaPro
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

1 comment:

  1. Is there a way to do this same ivrd and fvrf configuration using crypto maps instead of VTI? I have been trying for a few days now but it does not seem to work. My goal is to use crypto maps with reverse route injection.

    ReplyDelete