Tuesday, April 5, 2011

VRF-aware Dynamic Multipoint VPN

Following on my previous post on VRF-aware Multipoint GRE, you can further protect the mGRE tunnels with IPSec easily.

  1. On all Routers

  2. !

  3. crypto keyring ciscokey vrf outer

  4. pre-shared-key address 172.16.0.0 255.255.0.0 key cisco123

  5. !

  6. crypto isakmp profile isaDMVPN

  7. keyring ciscokey

  8. match identity address 172.16.0.0 255.255.0.0 outer

  9. !

  10. crypto ipsec transform-set tfDMVPN esp-aes esp-sha-hmac

  11. mode transport

  12. !

  13. crypto ipsec profile proDMVPN

  14. set security-association lifetime seconds 900

  15. set transform-set tfDMVPN set isakmp-profile isaDMVPN

  16. !

  17. interface Tunnel1

  18. ip vrf forwarding inner

  19. tunnel protection ipsec profile proDMVPN #apply protection on tunnel

To verify, perform the following commands and check the status in bold:

  1. Router1#sh crypto isakmp sa

  2. IPv4 Crypto ISAKMP SA

  3. dst src state conn-id slot status

  4. 172.16.1.1 172.16.1.2 QM_IDLE 1001 0 ACTIVE

  5. ......

  6. Router1#sh crypto session

  7. Crypto session current status

  8. Interface: Tunnel1

  9. Profile: isaDMVPN

  10. Session status: UP-ACTIVE

  11. ......

If you couldn't obtain the above results, perform further troubleshooting using "debug crypto isakmp" and "debug crypto ipsec". Most of the time, the issues are related to isakmp issues and authentication key. Check that all the parameters (esp pre-shared key) can match.
Posted by samyee at 4:15 PM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)