2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput

Similar Messages

• Vrf Aware IPSEC

  Hi
  i am trying something inline with title mentioned but i m getting stuck up in getting my vpnclient establish the connectivity with my IPE box which is 7206.
  i have tried establishing the dynamic ipsec with my 6513 box configured to accept the same where its working fine w/o any issues but my bad luck i dont have a compatible ios to tune my 6513 box to support vrf aware ipsec and since i hv my 7206 supports the same functionality i didnt want 6513 to cater that feature.
  i hve even tried the same config of normal plain dynamic ipsec which i hv tried in 6513 switch but still i m getting into the same problem.
  i m getting remote peer is no longer responding in my vpn client.
  i m attching the config of my ipe box herewith this msg,pls do suggest how do i proceed to make it thru coz i m gone out of ideas and gone totally dry
  (coz trying/cracking this continously for hrs together..) :-(
  regds

  Hi
  thx a lot i got it working ,but do revert how come the same is working fine without any issues in my 6513 box without the above mentioned command.thtsy i got stumpeddd :-(
  any compatibility issues or any specifics been put to add this syntax in 7206 boxes alone ?coz i m aware of some boxes even in production network running dynamic ipsec stuffs without the above mentioned command..
  regds

• DMVPN + VRF-Aware IPSec

  Hi,
  Can we club DMVPN and VRF-Aware IPsec features ?
  Regards
  Mahesh

  Million thanks for this.
  This now works after disabling CEF on the public facing interface.
  Regards,
  Zahid

• VRF-Aware IPSec for Remote Access

  Dear All,
  Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?
  I am trying to implement this feature on a PE which has MPLS enabled
  on the Internet facing interface.
  With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.
  I will be really grateful for any comment or any pointers for what could
  be possibly wrong with the configuration below:
  aaa new-model
  aaa authentication login USER-AUTHENTICATION local
  aaa authorization network GROUP-AUTHORISATION local
  crypto keyring test-1
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group test-1
  key test-1
  domain test.com
  pool cpe-1
  acl 101
  crypto isakmp profile test-1
  vrf test-1
  keyring test-1
  match identity group test-1
  client authentication list USER-AUTHENTICATION
  isakmp authorization list GROUP-AUTHORISATION
  client configuration address initiate
  client configuration address respond
  client configuration group test-1
  crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
  ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
  crypto dynamic-map test-1 1
  set transform-set test-1
  set isakmp-profile test-1
  reverse-route remote-peer
  Internet facing interface
  interface GigabitEthernet4/0/0
  ip address x.x.x.x 255.255.255.240
  ip router isis
  mpls ip
  crypto map IPSEC-AWARE-VRF
  Customer facing interface
  interface GigabitEthernet1/0/0.1
  encapsulation dot1Q 100
  ip vrf forwarding test-1
  ip address 110.110.110.1 255.255.255.0
  Kind regards,
  ZH

  Million thanks for this.
  This now works after disabling CEF on the public facing interface.
  Regards,
  Zahid

• VRF-Aware IPsec with a Dynamic VTI

  Hello
  I am trying to configure VRF-aware IPSEC with e Dynamic VTI. I follow the guidelines from the document
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-2mt/sec-ipsec-virt-tunnl.html#GUID-C0A165BF-5866-4B13-BD73-0892B7E65488
  Acording to the example: "VRF-Aware IPsec with a Dynamic VTI When VRF is Configured Under an ISAKMP Profile" I should be able to configure both the vrf and virtual-template features under the same crypto isakmp policy.
  Unfortunalety, if I try to do that, I receive the following message
  R4(conf-isa-prof)#virtual-template 1
  % VRF already set for isakmp profile. Virtual Template not allowed
  Does anyody know why I am not able to follow the configuration from this example?
  My profile confguration, and the virtual-template configuration are as follows
  crypto isakmp profile A
     vrf A
     keyring A
     match identity address 192.168.0.2 255.255.255.255
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback2
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile A
  I am doing the test on the IOS 12.4(11)XW3 runningon 3725 router.
  Thank you in advance for any hints.
  Regards
  Lukas

  Lukas,
  I'm not sure but most likely this was not yet supported in 12.4.
  The document you refer to is for IOS 15.2. I don't know by heart if your 3715 can run 15.2, otherwise give 15.1(4)Mx a try ?
  hth
  Herbert

• High Sync low throughput - ongoing issue

  Hello all - any ideas help gratefully recieved.
  Since 17th November I've had speed problems on my ADSL connection.  Started with drop in speed which I reported as a fault.  I received a fault number, spoke to customer support colleagues in India who could not resolve it.  All the usual - test socket, filter change, reset stuff. It was escalated even though I noticed that the fault was reported to be resolved on my BT profile.  
  My IP profile was reset and I was sent a new hub.  Initially, the IP reset seemed to work - the hub made no difference.  A few days later it happened again.   So, I should have download speed of around 8mbps but I get 1mbps.  I live opposite the exchange. 
  I raised it again.  Given a new fault number around the 3rd December.  A week of calls every few days to and from India - they could see what I could see - high sync rate low throughput.  Line says the right speed, IP profile says the right speed but throughput stuck at 1mbps.  Fault was escalated and I also raised it with the complaints team.
  On the 10th Dec an engineer came to the exchange (across the road) I was called to say it was all fixed.  It wasn't. On the 12th Dec an engineer came to the house.  No problem found. PQ Test, Eclipse Test, APTS Test, BTAS Test, Ping Test - all passed.  Cabling in the house fine.  Changed wires, hubs etc - no change.  He was convinced it is the exchange but he could not fix it.
  Now dealing with helpful BT compliants handlers.  They are helpful in terms of the contact bit there is still no resolution or detail or even a sense that anyone knows what the problem is.  Since Thursday 12th I have been told every few days that BT wholesale are 'invesitgating' and 'testing' and that I should wait 48 hours. Most recently yesterday.
  This has been going on too long - communication with BT is OK but they just can't fix it. Any ideas gratefully received.
  Merry Christmas and kindest regards
  Richie

  Connection Information
  Line state: Connected
  Connection time: 4 days, 04:47:16
  Downstream: 7.938 Mbps
  Upstream: 448 Kbps
  ADSL Settings
  VPI/VCI: 0/38
  Type: PPPoA
  Modulation: G.992.1 Annex A
  Latency type: Interleaved
  Noise margin (Down/Up): 15.6 dB / 25.0 dB
  Line attenuation (Down/Up): 0.4 dB / 0.5 dB
  Output power (Down/Up): 7.9 dBm / 12.1 dBm
  FEC Events (Down/Up): 29171 / 0
  CRC Events (Down/Up): 31 / 0
  Loss of Framing (Local/Remote): 0 / 0
  Loss of Signal (Local/Remote): 0 / 0
  Loss of Power (Local/Remote): 0 / 0
  HEC Events (Down/Up): 47 / 0
  Error Seconds (Local/Remote): 1048 / 5

• Troubles using VRF-aware IPsec w/ crypto maps

  I'm trying to get a lab setup to work with a C2951 (15.2(4)M4) peering with an ASA 5510 (9.1(2)). The config is based on crypto maps, since I want the C2951 to be the initiating side, and as far as I understand, VTIs wouldn't be working together with the ASA due to the default 'any' crypto statements that are being applied on SVTIs.
  So I've set up this IKEv1-, crypto map-based lab, and the tunnel strictly won't come up; it seems that crypto doesn't find any interesting traffic at all (no debug crypto isakmp output pops up).
  What I'm doing for testing is issuing a VRF Ping from a loopback interface of the C2951. I was following the following cheat sheet to configure the IOS box:
  https://supportforums.cisco.com/docs/DOC-13524
  Please see the attached config files and the setup drawing.
  This is the way I'm testing it:
  C2951#sh deb
  Cryptographic Subsystem:
    Crypto ISAKMP debugging is on
  C2951#
  C2951#ping vrf test 10.0.0.1 source lo 1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
  Packet sent with a source address of 40.0.0.1
  Success rate is 0 percent (0/5)
  C2951#
  Any hints for me, please?

  There are no VRF routes left in the config, and I've cleared the global and the VRF routing table. Even rebooted the box. Still only half of the Pings get answered. There are no crypto ipsec errors, so it should have something to do with routing...but what?
  C2951#sh crypto ipsec sa
  interface: GigabitEthernet0/0
      Crypto map tag: OUR-MAP, local addr 30.0.0.2
     protected vrf: test
     local  ident (addr/mask/prot/port): (40.0.0.1/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
     current_peer 20.0.0.1 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 30.0.0.2, remote crypto endpt.: 20.0.0.1
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
       current outbound spi: 0xEB02ACDA(3942821082)
       PFS (Y/N): Y, DH group: group5
       inbound esp sas:
        spi: 0x1A943A9F(445921951)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 18009, flow_id: ISM VPN:9, sibling_flags 80000040, crypto map: OUR-MAP
          sa timing: remaining key lifetime (k/sec): (4225929/3571)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE(ACTIVE)
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xEB02ACDA(3942821082)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 18010, flow_id: ISM VPN:10, sibling_flags 80000040, crypto map: OUR-MAP
          sa timing: remaining key lifetime (k/sec): (4225928/3571)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE(ACTIVE)
       outbound ah sas:
       outbound pcp sas:
  C2951#sh ip route 10.0.0.0
  % Network not in table
  C2951#sh ip route vrf test 10.0.0.0
  Routing Table: test
  Routing entry for 10.0.0.0/24, 1 known subnets
  S        10.0.0.0 [1/0] via 20.0.0.1, GigabitEthernet0/0

• VRF-aware IPSec Issues

  Hello All
  I will be grateful if someone can assist me with this please.
  I am having issues with this setup and the VPN tunnel shows down. Can someone please advice where i may be going wrong. the test setup as below and i have also attached the current configs.
  VPN_RTR#sh crypto session
  Crypto session current status
  Interface: GigabitEthernet0/1.84
  Session status: DOWN
  Peer: 1.1.1.2 port 500
    IPSEC FLOW: permit ip host 10.10.10.1 0.0.0.0/0.0.0.0
          Active SAs: 0, origin: crypto map
  Interface: GigabitEthernet0/1.85
  Session status: DOWN
  Peer: 1.1.1.6 port 500
    IPSEC FLOW: permit ip host 10.10.11.1 0.0.0.0/0.0.0.0
          Active SAs: 0, origin: crypto map

  Hello,
  Modify your ACL on both routers to identify interesting traffic which will be encrypted, in your case traffic beteen loopbacks in same VRF.
  INETSERV1_TEST
  ip access-list extended P1-VPN
  permit ip host 10.10.10.1 host 192.168.0.1
  ip access-list extended P3-VPN
  permit ip host 10.10.11.1 host 192.168.1.1
  VPN_RTR
  ip access-list extended P1-VPN
  permit ip host 192.168.0.1 host 10.10.10.1
  ip access-list extended P3-VPN
  permit ip host 192.168.1.1 host 10.10.11.1
  After this change, you should be able to ping between loopbacks.
  Best Regards
  Please rate all helpful posts and close solved questions

• High CPU low battery

  After updating to ios5 my battery is going flat in less than a day. I downloaded a process monitor and it shows my CPU averaging 96%. No wonder my battery ain't lasting. I turned off location services, no difference. Turned off wifi, no difference. No iCloud stuff selected, no difference. Turne airplane mode on, no difference. What the heck is going on.
  Now for the weird bit, I deleted iCloud account on iPhone still at 96%. I went to my iPad and the process app was installed on it.  No iCloud options selected on iPad. Went back to iPhone and downloaded the full version of the app and bugger me it appeared on my iPad as well.
  iPad CPU averaging about 20%. I can only guess that my devices are permanently talking to each other through iCloud.
  Apple what the heck hacve you done. You need to sort this ASAP please

  I have the exact same problem and have posted a topic but didn't get any feedback.
  My fan is running at full blast at all times and it's extremely loud, loud enough to be heard over my music in iTunes.
  Here is a picture of my Activity Monitor:
  http://i78.photobucket.com/albums/j98/sminman/Picture2.png
  I am not sure what the problem is but just like Emmy12, I get horrible battery life compared to what I used to get.
  So...
  Can anyone help us out?
  Thanks,
  Sam

• Vrf aware dynamic ipsec

  Hi
  I need to setup a VRF aware IPSec that can take requests from dynamic (unspecified) sources. This is basically like enabling a home user to connect to his MPLS VPN network with a service provider. Please help with the SP network config, not the CPE.
  An appropriate link will also help.

  Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
  One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
  This document helps you configure VRF aware IPSec.
  http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1158006

• IPSec VRF Aware (Crypto Map)

  Hello!
  I have some problem with configuring vrf aware Ipsec (Crypto Map).
  Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.  
  Configuration below:
  ip vrf outside
   rd 1:1
  ip vrf inside
   rd 2:2
  track 10 ip sla 10 reachability
  ip sla schedule 10 life forever start-time now
  crypto keyring outside vrf outside 
    pre-shared-key address 10.10.10.100 key XXXXXX
  crypto isakmp policy 20
   encr aes 256
   authentication pre-share
   group 2
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10 periodic
  crypto isakmp profile AS_outside
     vrf inside
     keyring outside
     match identity address 10.10.10.100 255.255.255.255 outside
     isakmp authorization list default
  crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac 
   mode tunnel
  crypto ipsec df-bit clear
  crypto map outside 10 ipsec-isakmp 
   set peer 10.10.10.100
   set security-association idle-time 3600
   set transform-set ESP-AES 
   set pfs group2
   set isakmp-profile AS_outside
   match address inside_access
  ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
  ip access-list extended inside_access
   permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
  icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
   vrf outside
  interface GigabitEthernet0/0.806
  ip vrf forwarding outside
  ip address 10.10.10.101 255.255.255.0
  crypto-map outside
  interface GigabitEthernet0/1.737
  ip vrf forwarding inside
  ip address 10.6.6.252 255.255.255.248

  Hello Frank!
  >>  1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
  I tried it before. Nothing changes.
  >> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
  It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
  show command below:
  ISR-vpn-1#show ip cef vrf inside exact-route  10.6.6.254 10.5.5.1
   10.6.6.254  -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
  ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal                
  10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
    sources: RIB 
    feature space:
     NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
    ifnums:
     GigabitEthernet0/0.806(24): 10.10.10.100
    path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
    nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
    output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)

• Dynamic L2L in VRF-aware

  I have a  router in a VRF that does from concentrate for vpn remote router and firewall.
  I need to  manage access, LAN to LAN VPN with Dynamic ipaddress.
  the problem is to discriminate the VRF for  the isakmp  profile match.
  What  advice can you give  me?I found this attached file to run it?
  but I  wonder how it is  possible to  finish in the  correct VRF if there is a descriminate? I thought to associate preshareed-key access to different inVRF different:VRF1 presharek 123cisco vrf1-address 0.0.0.0 0.0.0.0
  VRF1 presharek 123cisco vrf2-address 0.0.0.0 0.0.0.0

  Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
  One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
  This document helps you configure VRF aware IPSec.
  http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1158006

• VRF-Aware SNMP Monitoring

  Hello,
  I have a few routers w/ VRF-Aware IPsec tunnels. I'm wondering if I can monitor all my tunnels, from all VRFs, with a single SNMP poll? CISCO-IPSEC-FLOW-MONITOR-MIB, CISCO-IPSEC-MIB , and CISCO-IPSEC-POLICY-MAP-MIB do not give me data for the sum all all of my VRFs. Please advise.
  Thanks!
  Lehi

  See http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_iimib.html . Assuming you're running the correct version of code, you can get VRF-aware CISCO-IPSEC-FLOW-MONITOR-MIB and CISCO-IPSEC-MIB support. You will need to make sure you have configured your device to allow for VRF-based SNMP polling. The VRF instances will not show sum totals for the system. To get that, you will need to poll using a non-VRF community string.

• VRF aware VPN

  Hi,
  I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:
  FVRF=VRF1 and IVRF=global, no VRF
  there  are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I  ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't  receive echo reply
  Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
  11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  10.0.0.1        10.0.0.2        QM_IDLE           1003 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1#sh cry
  r1#sh crypto ip
  r1#sh crypto ipsec sa
  interface: GigabitEthernet0/0
      Crypto map tag: MAPA, local addr 10.0.0.1
     protected vrf: FVRF
     local  ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
     current_peer 10.0.0.2 port 500
       PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
       current outbound spi: 0xCF660D5A(3479571802)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x66992BE3(1721314275)
  r1# 
  I added static routes on r1 and r2 but apparently I missed something else:
  r1:
  ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2
  r2:
  ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1
  Any suggestions?
  Hubert

  Hi,
  yes, I have the static route:
  r1#sh run | i route
  ip source-route
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.0.2
  r1#sh ip ro
  r1#sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 10.0.0.2 to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 10.0.0.2, GigabitEthernet0/0
        11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        11.11.11.0/24 is directly connected, Loopback1
  L        11.11.11.11/32 is directly connected, Loopback1
  r1#sh ip route vr
  r1#sh ip route vrf FVRF
  Routing Table: FVRF
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is not set
        10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        10.0.0.0/24 is directly connected, GigabitEthernet0/0
  L        10.0.0.1/32 is directly connected, GigabitEthernet0/0
  r1#
  The problem is I can't specify 'global' vrf in the route statement. When I tested a bit different case scenario everything worked fine:
  a) Loop1 (vrf=IVRF) -- gig0/0 (global vrf) <-> gig0/0 (global vrf) -- Loop1 (vrf=IVRF)
    11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
  I just added:
  ip route vrf IVRF 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2 global
  b) With 2 VRFs:
  Loop1 (vrf=IVRF) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (vrf=IVRF)
  11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
  I added:
  ip route vrf FVRF 0.0.0.0 0.0.0.0 10.0.0.1
  ip route vrf IVRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.0.0.1
  So, the problem I have, is only when Loopback interfaces are in global VRF and physical interfaces vrf=FVRF:
  Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
  11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
  I wonder if Cisco supports such scenario.

• VRF aware GET-VPN Group-member

  Hi,
  we want to configure following on some of our routers.
  3 VRF-lite (before it has been 3 seperate routers)
  For each VRF we have to use  a seperate GDOI-Group , different PSKs.
  The KS for the different GDOI Groups is the same adresses (central resource reachable from every VRF).
  I know that I can configure per GDOI-Group a "client registartion interface ..." which can be an interface in a VRF.
  to configure the same KS-address for different GDOI-groups seems to be not possible
  crypto gdoi group GROUP-1
  identity number 1111111
  server address ipv4 22.198.255.29
  server address ipv4 22.198.255.33
  crypto gdoi group GROUP-2
  identity number 2222222
  server address ipv4 22.198.255.29
  server address ipv4 22.198.255.33
  As soon as I configure the KS for GROUP-2 I get an error-message that the KS is already configured.
  We can configure different ISAKMP-Profiles (vrf aware), but GDOI-GROUP configuration seems not to be VRF aware.
  Is there a way how to achive to use the same KS-Address for different-Groups in different VRFs.
  Thx
  Hubert

  Hi Naman, I think there is a misunderstanding of my problem.
  On the branch-routers I have two VRFs. In each VRF I have to configure GET-VPN-GM.
  The KS are on central routers in each VRF but they do have the sam IP-address (we use overlapping address-space in both VRFs)
  Configuration is like following
  ip vrf VRF_10
  rd 10:0
  route-target export 10:0
  route-target import 10:0
  maximum routes 1000 warning-only
  ip vrf VRF_12
  rd 12:0
  route-target export 12:0
  route-target import 12:0
  maximum routes 1000 warning-only
  the problem is that we would have to configure to different ISAKMP-PSK for same Server-Address, and thats not possible
  crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.161.255.33
  crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.109.255.45
  crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.161.255.33
  crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.109.255.45
  crypto isakmp policy 10
  encr aes
  authentication pre-share
  group 2
  lifetime 1200
  crypto gdoi group GROUP-10
  identity number 101010
  server address ipv4 22.161.255.33
  server address ipv4 22.109.255.45
  client registration interface Loopback0
  crypto gdoi group GROUP-12
  identity number 121212
  server address ipv4 22.161.255.33
  server address ipv4 22.109.255.45
  client registration interface Loopback1
  crypto map MAP-10-SECURE-WAN local-address Loopback0
  crypto map MAP-10-SECURE-WAN 10 gdoi
  set group GROUP-10
  crypto map MAP-12-SECURE-WAN local-address Loopback0
  crypto map MAP-12-SECURE-WAN 10 gdoi
  set group GROUP-12
  interface Loopback1
  ip vrf forwarding VRF_10
  ip address 10.10.10.45 255.255.255.252
  interface Loopback1
  ip vrf forwarding VRF_12
  ip address 12.12.12.45 255.255.255.252
  interface gig0/1.10
  ip vrf forwarding VRF_10
  crypto map MAP-10-SECURE-WAN
  interface gig0/1.12
  ip vrf forwarding VRF_12
  crypto map MAP-12-SECURE-WAN
  So my idea was to configure the PSKs per VRF via an ISAKMP-Profile (where i can define VRFs)
  ip vrf VRF_10
  rd 10:0
  route-target export 10:0
  route-target import 10:0
  maximum routes 1000 warning-only
  ip vrf VRF_12
  rd 12:0
  route-target export 12:0
  route-target import 12:0
  maximum routes 1000 warning-only
  crypto isakmp policy 10
  encr aes
  authentication pre-share
  group 2
  lifetime 1200
  crypto keyring ISAKMP_KEY_GETVPN_10
    local-address Loopback0
    pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!101010
    pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!101010
  crypto keyring ISAKMP_KEY_GETVPN_12
    local-address Loopback1
    pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!121212
    pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!121212
  crypto isakmp profile ISAKMP_PROFILE_GETVPN_10
     vrf VRF_10
     keyring ISAKMP_KEY_GETVPN_10
     self-identity address
     match identity address 22.161.255.33 255.255.255.255
     match identity address 22.109.255.45 255.255.255.255
     keepalive 20 retry 2
     local-address Loopback0
  crypto isakmp profile ISAKMP_PROFILE_GETVPN_12
     vrf VRF_12
     keyring ISAKMP_KEY_GETVPN_12
     self-identity address
     match identity address 22.161.255.33 255.255.255.255
     match identity address 22.109.255.45 255.255.255.255
     keepalive 20 retry 2
     local-address Loopback1
  crypto gdoi group GROUP-10
  identity number 101010
  server address ipv4 22.161.255.33
  server address ipv4 22.109.255.45
  client registration interface Loopback0
  crypto gdoi group GROUP-12
  identity number 121212
  server address ipv4 22.161.255.33
  server address ipv4 22.109.255.45
  client registration interface Loopback1
  crypto map MAP-10-SECURE-WAN local-address Loopback0
  crypto map MAP-10-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_10
  crypto map MAP-10-SECURE-WAN 10 gdoi
  set group GROUP-10
  crypto map MAP-12-SECURE-WAN local-address Loopback1
  crypto map MAP-12-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_12
  crypto map MAP-12-SECURE-WAN 10 gdoi
  set group GROUP-12
  But it seems it does not work !!!
  Any idea ?
  Thx in Advance
  Hubert