Seamless migration of cryptomap ipsec setup to vrf aware environment?

hi out there
We are in a migration phase from a vpn router with a non-vrf aware setup to a router with a vrf aware setup. I expected that I was able to do this more or less seamless by adding the wan-interface from the vrf ware router to the same hsrp Group as the non-vrf aware router and the just raise the priority of the vrf aware router when we had a time slot for migrating the environment. But when I added the interface for the vrf aware router to the hsrp Group of the non-vrf aware router  the vrf-aware router suddenly started to "mal-function" - it had two other interfaces running with vpn connections and those sessions started to crash.
Since this is a production env I hadn't time to debug what happened but I just quickly rolled-back what I had done and everything looked ok and stable Again. But - can some here give me a guess of what had happened?
the setup I had on the non-vrf aware router was this:
interface GigabitEthernet0/0/0
ip address 19.41.10.13 255.255.255.128
standby 68 ip 19.41.10.14
 standby 68 priority 110
 standby 68 preempt
 standby 68 authentication xxxx
 standby 68 name asp
crypto map cm-cvn001 redundancy asp
and on the vrf aware env:
interface GigabitEthernet0/0/3
ip address 19.41.10.28 255.255.255.128
 vrf forwarding INTERNET3
 standby 68 ip 19.41.10.14
 standby 68 priority 50
 standby 68 preempt
 standby 68 authentication xxxx
 standby 68 name asp
crypto map IPSECMAP3 redundancy asp

Hi JouniForss
Thanks for replying!
Looks like I left in some public IP's by mistake.
I have edited this to hopefully make it clear.

Similar Messages

  • Vrf aware dynamic ipsec

    Hi
    I need to setup a VRF aware IPSec that can take requests from dynamic (unspecified) sources. This is basically like enabling a home user to connect to his MPLS VPN network with a service provider. Please help with the SP network config, not the CPE.
    An appropriate link will also help.

    Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
    One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
    This document helps you configure VRF aware IPSec.
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1158006

  • %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.x.x.x, src_addr= x.x.x.x, prot= 47

    Hi ,
    I am want to crerate a GREover IPsec Tunnel between Cisco ASR 1002 and cisco 3900 i am getting the below error.
    %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.x.x.x, src_addr= x.x.x.x, prot= 47
    I have attached the configuration file as well currently working on tunnel 117.
    Site A already have some tunnels up and running but only tunnel 117 is not working which i created now on ASR 1002.
    CAN ANYONE LET ME KNOW WHAT I AM FACING AN ISSUE.

    The first issue that I note is that you have applied the crypto map on the tunnel interface as well as on the physical interface. While there are perhaps still some examples that show this they are based on the operation of quite old IOS versions. The code that you are now running expects the crypto map to be applied only on the physical interface. I suggest that you remove the crypto map from the tunnel interfaces. Try that and let us know if the behavior changes.
    HTH
    Rick

  • DMVPN + VRF-Aware IPSec

    Hi,
    Can we club DMVPN and VRF-Aware IPsec features ?
    Regards
    Mahesh

    Million thanks for this.
    This now works after disabling CEF on the public facing interface.
    Regards,
    Zahid

  • 2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput

    We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?

    Hi Nick,
    I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.
    We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.
    When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.
    Inspect
    Packet inspection statistics [process switch:fast switch]
    tcp packets: [14809800:0]
    udp packets: [145107:0]
    icmp packets: [20937:12]
    I have disabled the ZFW and still see high cpu although it is a little lower.
    Packets are not fragmented, CEF and fast switching looks to be enabled. I am using a route-map for my nonats. That is the only thing I can think of now.
    I have tried IOS 12.4(20)T3,4 and 12.4(15)T9. Same results.
    Anyone have some ideas?

  • Vrf Aware IPSEC

    Hi
    i am trying something inline with title mentioned but i m getting stuck up in getting my vpnclient establish the connectivity with my IPE box which is 7206.
    i have tried establishing the dynamic ipsec with my 6513 box configured to accept the same where its working fine w/o any issues but my bad luck i dont have a compatible ios to tune my 6513 box to support vrf aware ipsec and since i hv my 7206 supports the same functionality i didnt want 6513 to cater that feature.
    i hve even tried the same config of normal plain dynamic ipsec which i hv tried in 6513 switch but still i m getting into the same problem.
    i m getting remote peer is no longer responding in my vpn client.
    i m attching the config of my ipe box herewith this msg,pls do suggest how do i proceed to make it thru coz i m gone out of ideas and gone totally dry
    (coz trying/cracking this continously for hrs together..) :-(
    regds

    Hi
    thx a lot i got it working ,but do revert how come the same is working fine without any issues in my 6513 box without the above mentioned command.thtsy i got stumpeddd :-(
    any compatibility issues or any specifics been put to add this syntax in 7206 boxes alone ?coz i m aware of some boxes even in production network running dynamic ipsec stuffs without the above mentioned command..
    regds

  • VRF-Aware IPSec for Remote Access

    Dear All,
    Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?
    I am trying to implement this feature on a PE which has MPLS enabled
    on the Internet facing interface.
    With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.
    I will be really grateful for any comment or any pointers for what could
    be possibly wrong with the configuration below:
    aaa new-model
    aaa authentication login USER-AUTHENTICATION local
    aaa authorization network GROUP-AUTHORISATION local
    crypto keyring test-1
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group test-1
    key test-1
    domain test.com
    pool cpe-1
    acl 101
    crypto isakmp profile test-1
    vrf test-1
    keyring test-1
    match identity group test-1
    client authentication list USER-AUTHENTICATION
    isakmp authorization list GROUP-AUTHORISATION
    client configuration address initiate
    client configuration address respond
    client configuration group test-1
    crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
    ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
    crypto dynamic-map test-1 1
    set transform-set test-1
    set isakmp-profile test-1
    reverse-route remote-peer
    Internet facing interface
    interface GigabitEthernet4/0/0
    ip address x.x.x.x 255.255.255.240
    ip router isis
    mpls ip
    crypto map IPSEC-AWARE-VRF
    Customer facing interface
    interface GigabitEthernet1/0/0.1
    encapsulation dot1Q 100
    ip vrf forwarding test-1
    ip address 110.110.110.1 255.255.255.0
    Kind regards,
    ZH

    Million thanks for this.
    This now works after disabling CEF on the public facing interface.
    Regards,
    Zahid

  • VRF-Aware IPsec with a Dynamic VTI

    Hello
    I am trying to configure VRF-aware IPSEC with e Dynamic VTI. I follow the guidelines from the document
    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-2mt/sec-ipsec-virt-tunnl.html#GUID-C0A165BF-5866-4B13-BD73-0892B7E65488
    Acording to the example: "VRF-Aware IPsec with a Dynamic VTI When VRF is Configured Under an ISAKMP Profile" I should be able to configure both the vrf and virtual-template features under the same crypto isakmp policy.
    Unfortunalety, if I try to do that, I receive the following message
    R4(conf-isa-prof)#virtual-template 1
    % VRF already set for isakmp profile. Virtual Template not allowed
    Does anyody know why I am not able to follow the configuration from this example?
    My profile confguration, and the virtual-template configuration are as follows
    crypto isakmp profile A
       vrf A
       keyring A
       match identity address 192.168.0.2 255.255.255.255
    interface Virtual-Template1 type tunnel
    ip unnumbered Loopback2
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile A
    I am doing the test on the IOS 12.4(11)XW3 runningon 3725 router.
    Thank you in advance for any hints.
    Regards
    Lukas

    Lukas,
    I'm not sure but most likely this was not yet supported in 12.4.
    The document you refer to is for IOS 15.2. I don't know by heart if your 3715 can run 15.2, otherwise give 15.1(4)Mx a try ?
    hth
    Herbert

  • Vrf aware dmvpn with ipsec profile breaks while enabling authentication in EIGRP named mode

    Hi Friends,
    I build a vrf aware dmvpn using IPSec profile and I got the DMVPN and IPSec crypto as UP and able to do advertise using EIGRP.
    But the crypto and DMVPN breaks while I enabled the authentication in EIGRP named mode.
    Once i remove the authentication, it works fine.
    Any advice, how to solve this issue ? Any crypto commands need to add to make this work ?
    Regards
    Riyas Rasheed

    Hi,
    I attached the config I did, till I apply the authentication in EIGRP,
    once I applied the below config, the dmvpn will break
    ""router eigrp EIGRP
    add ipv4 autonom 45678
    af-interface tu0
    authentication mode hmac-sha256 KEY""
    See any more configs I need to add in the crypto to make the dmvpn  up.
    Thanks

  • IPSec VRF Aware (Crypto Map)

    Hello!
    I have some problem with configuring vrf aware Ipsec (Crypto Map).
    Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.  
    Configuration below:
    ip vrf outside
     rd 1:1
    ip vrf inside
     rd 2:2
    track 10 ip sla 10 reachability
    ip sla schedule 10 life forever start-time now
    crypto keyring outside vrf outside 
      pre-shared-key address 10.10.10.100 key XXXXXX
    crypto isakmp policy 20
     encr aes 256
     authentication pre-share
     group 2
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 10 periodic
    crypto isakmp profile AS_outside
       vrf inside
       keyring outside
       match identity address 10.10.10.100 255.255.255.255 outside
       isakmp authorization list default
    crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac 
     mode tunnel
    crypto ipsec df-bit clear
    crypto map outside 10 ipsec-isakmp 
     set peer 10.10.10.100
     set security-association idle-time 3600
     set transform-set ESP-AES 
     set pfs group2
     set isakmp-profile AS_outside
     match address inside_access
    ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
    ip access-list extended inside_access
     permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
    icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
     vrf outside
    interface GigabitEthernet0/0.806
    ip vrf forwarding outside
    ip address 10.10.10.101 255.255.255.0
    crypto-map outside
    interface GigabitEthernet0/1.737
    ip vrf forwarding inside
    ip address 10.6.6.252 255.255.255.248

    Hello Frank!
    >>  1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
    I tried it before. Nothing changes.
    >> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
    It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
    show command below:
    ISR-vpn-1#show ip cef vrf inside exact-route  10.6.6.254 10.5.5.1
     10.6.6.254  -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
    ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal                
    10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
      sources: RIB 
      feature space:
       NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
      ifnums:
       GigabitEthernet0/0.806(24): 10.10.10.100
      path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
      nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
      output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)

  • Migrate GL config from one envrionment to another environment

    Hi,
    How do you migrate the GL config setups from one client to another new client. LDT files are used for programs and users etc..

    Hi
    You can export model from one VC, there is export option. Store this on your client machine / desktop.
    Loggin to new VC/EP create model there & Import the saved VC model model to this new system. You need to make sure that all BI queries/ BI Connections are there in your new setup. otherwise imported model will not get deployed.
    Regards
    Sandeep

  • VRF Aware DVTI and PKI

    Hi,
    i´ve try to get an dynamic VTI with VRF Aware on the HUB Router and PKI for Authentication.
    My Problem is, that Phase1 works fine, but Phase2 doesn´t came up.
    debug crypto isakmp
    Feb  7 09:46:09.439: ISAKMP:(20175): IPSec policy invalidated proposal with error 32
    Feb  7 09:46:09.439: ISAKMP:(20175): phase 2 SA policy not acceptable! (local a.b.c.d remote e.f.g.h)
    The proposals are OK.
    Here are the config parts.
    crypto isakmp profile P1
       ca trust-point VPN
       match certificate CERMAP1
       virtual-template 11
    crypto ipsec profile P1
    set transform-set AES256
    set isakmp-profile P1
    interface Virtual-Template11 type tunnel
    vrf forwarding <VRF Name>
    ip unnumbered Loopback0
    ip virtual-reassembly in
    tunnel mode ipsec ipv4
    tunnel vrf OUTSIDE_VTI
    tunnel protection ipsec profile P1
    Have any one of you a working configuration with this parameters or an idea, what i can do ?
    The Virtual-Template Interface ist up/down and no interface virtual-acces was created.
    Many Thanks !!!

    This is the output from debug crypto isakmp....
    Feb 7 18:41:37.048: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (N) NEW SA
    Feb 7 18:41:37.048: ISAKMP: Created a peer struct for a.b.c.d, peer port 500
    Feb 7 18:41:37.048: ISAKMP: New peer created peer = 0x3D83A580 peer_handle = 0x8000025B
    Feb 7 18:41:37.048: ISAKMP: Locking peer struct 0x3D83A580, refcount 1 for crypto_isakmp_process_block
    Feb 7 18:41:37.048: ISAKMP: local port 500, remote port 500
    Feb 7 18:41:37.048: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2107EC78
    Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
    Feb 7 18:41:37.048: ISAKMP:(0): processing SA payload. message ID = 0
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
    Feb 7 18:41:37.048: ISAKMP : Scanning profiles for xauth ... RTR2
    Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Feb 7 18:41:37.048: ISAKMP: encryption AES-CBC
    Feb 7 18:41:37.048: ISAKMP: keylength of 256
    Feb 7 18:41:37.048: ISAKMP: hash SHA
    Feb 7 18:41:37.048: ISAKMP: default group 2
    Feb 7 18:41:37.048: ISAKMP: auth RSA sig
    Feb 7 18:41:37.048: ISAKMP: life type in seconds
    Feb 7 18:41:37.048: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    Feb 7 18:41:37.048: ISAKMP:(0):atts are acceptable. Next payload is 0
    Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:actual life: 0
    Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:life: 0
    Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa vpi_length:4
    Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0):Returning Actual lifetime: 86400
    Feb 7 18:41:37.048: ISAKMP:(0)::Started lifetime timer: 86400.
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
    Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
    Feb 7 18:41:37.048: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Feb 7 18:41:37.048: ISAKMP:(0): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_SA_SETUP
    Feb 7 18:41:37.048: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
    Feb 7 18:41:37.088: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (R) MM_SA_SETUP
    Feb 7 18:41:37.092: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Feb 7 18:41:37.092: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
    Feb 7 18:41:37.092: ISAKMP:(0): processing KE payload. message ID = 0
    Feb 7 18:41:37.092: ISAKMP:(0): processing NONCE payload. message ID = 0
    Feb 7 18:41:37.092: ISAKMP:(20308): processing CERT_REQ payload. message ID = 0
    Feb 7 18:41:37.092: ISAKMP:(20308): peer wants a CT_X509_SIGNATURE cert
    Feb 7 18:41:37.092: ISAKMP:(20308): peer wants cert issued by cn=RTR1,o=company,c=de
    Feb 7 18:41:37.092: Choosing trustpoint VPN as issuer
    Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
    Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is DPD
    Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
    Feb 7 18:41:37.092: ISAKMP:(20308): speaking to another IOS box!
    Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
    Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID seems Unity/DPD but major 28 mismatch
    Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is XAUTH
    Feb 7 18:41:37.092: ISAKMP:received payload type 20
    Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
    Feb 7 18:41:37.092: ISAKMP:received payload type 20
    Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
    Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM3
    Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP (20308): constructing CERT_REQ for issuer cn=RTR1,o=company,c=de
    Feb 7 18:41:37.092: ISAKMP:(20308): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_KEY_EXCH
    Feb 7 18:41:37.092: ISAKMP:(20308):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM4
    Feb 7 18:41:37.164: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) MM_KEY_EXCH
    Feb 7 18:41:37.164: ISAKMP:(20308):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Feb 7 18:41:37.164: ISAKMP:(20308):Old State = IKE_R_MM4 New State = IKE_R_MM5
    Feb 7 18:41:37.164: ISAKMP:(20308): processing ID payload. message ID = 0
    Feb 7 18:41:37.164: ISAKMP (20308): ID payload
    next-payload : 6
    type : 2
    FQDN name : RTR2.customer.de
    protocol : 17
    port : 0
    length : 30
    Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
    Feb 7 18:41:37.164: ISAKMP:(20308): processing CERT payload. message ID = 0
    Feb 7 18:41:37.164: ISAKMP:(20308): processing a CT_X509_SIGNATURE cert
    Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): peer's pubkey is cached
    Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
    Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): Unable to get DN from certificate!
    Feb 7 18:41:37.168: ISAKMP:(20308): processing SIG payload. message ID = 0
    Feb 7 18:41:37.168: ISAKMP:(20308): processing NOTIFY INITIAL_CONTACT protocol 1
    spi 0, message ID = 0, sa = 0x2107EC78
    Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
    authenticated
    Feb 7 18:41:37.168: ISAKMP:(20308):SA has been authenticated with a.b.c.d
    Feb 7 18:41:37.168: ISAKMP:(20308):Detected port floating to port = 20962
    Feb 7 18:41:37.168: ISAKMP: Trying to find existing peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI
    Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
    authenticated
    Feb 7 18:41:37.168: ISAKMP:(20308): Process initial contact,
    bring down existing phase 1 and 2 SA's with local e.f.g.h remote a.b.c.d remote port 20962
    Feb 7 18:41:37.168: ISAKMP: Trying to insert a peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI, and inserted successfully 3D83A580.
    Feb 7 18:41:37.168: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Feb 7 18:41:37.168: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_R_MM5
    Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308):My ID configured as IPv4 Addr, but Addr not in Cert!
    Feb 7 18:41:37.168: ISAKMP:(20308):Using FQDN as My ID
    Feb 7 18:41:37.168: ISAKMP:(20308):SA is doing RSA signature authentication using id type ID_FQDN
    Feb 7 18:41:37.168: ISAKMP (20308): ID payload
    next-payload : 6
    type : 2
    FQDN name : RTR1.company.de
    protocol : 17
    port : 0
    length : 26
    Feb 7 18:41:37.168: ISAKMP:(20308):Total payload length: 26
    Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.172: ISAKMP:(20308): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.172: ISAKMP (20308): constructing CERT payload for hostname=RTR1.company.de,cn=RTR1,o=company,c=DE
    Feb 7 18:41:37.172: ISAKMP:(20308): using the VPN trustpoint's keypair to sign
    Feb 7 18:41:37.176: ISKAMP: growing send buffer from 1024 to 3072
    Feb 7 18:41:37.176: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) MM_KEY_EXCH
    Feb 7 18:41:37.180: ISAKMP:(20308):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
    Feb 7 18:41:37.180: ISAKMP:(20308): IKE->PKI End PKI Session state (R) QM_IDLE (peer a.b.c.d)
    Feb 7 18:41:37.180: ISAKMP:(20308): PKI->IKE Ended PKI session state (R) QM_IDLE (peer a.b.c.d)
    Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    Feb 7 18:41:37.208: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) QM_IDLE
    Feb 7 18:41:37.208: ISAKMP: set new node -1302683506 to QM_IDLE
    Feb 7 18:41:37.212: ISAKMP:(20308): processing HASH payload. message ID = 2992283790
    Feb 7 18:41:37.212: ISAKMP:(20308): processing SA payload. message ID = 2992283790
    Feb 7 18:41:37.212: ISAKMP:(20308):Checking IPSec proposal 1
    Feb 7 18:41:37.212: ISAKMP: transform 1, ESP_AES
    Feb 7 18:41:37.212: ISAKMP: attributes in transform:
    Feb 7 18:41:37.212: ISAKMP: encaps is 3 (Tunnel-UDP)
    Feb 7 18:41:37.212: ISAKMP: SA life type in seconds
    Feb 7 18:41:37.212: ISAKMP: SA life duration (basic) of 3600
    Feb 7 18:41:37.212: ISAKMP: SA life type in kilobytes
    Feb 7 18:41:37.212: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
    Feb 7 18:41:37.212: ISAKMP: authenticator is HMAC-SHA
    Feb 7 18:41:37.212: ISAKMP: key length is 256
    Feb 7 18:41:37.212: ISAKMP:(20308):atts are acceptable.
    Feb 7 18:41:37.212: ISAKMP:(20308): IPSec policy invalidated proposal with error 32
    Feb 7 18:41:37.212: ISAKMP:(20308): phase 2 SA policy not acceptable! (local e.f.g.h remote a.b.c.d)
    Feb 7 18:41:37.212: ISAKMP: set new node -809943149 to QM_IDLE
    Feb 7 18:41:37.212: ISAKMP:(20308):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 573410632, message ID = 3485024147
    Feb 7 18:41:37.212: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) QM_IDLE
    Feb 7 18:41:37.212: ISAKMP:(20308):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.212: ISAKMP:(20308):purging node -809943149
    Feb 7 18:41:37.212: ISAKMP:(20308):deleting node -1302683506 error TRUE reason "QM rejected"

  • VRF aware Remote Access on ZBF

    Hello,
    In our environment we have a Zone based firewall on CIsco ASR 1000 XE router, terminating normal IPsec VPN sessions on ZBF. The router has one outgoing physical interface (g0/0/0) connected to ISP as outside Interface and multiple Interfaces on the Inside network on Port channels VLAN/VRF.
    The remote access VPN (Easy VPN) is applied using crypto map configuration on the interface connected to ISP.
    Now, there was also a requirement to provide IPSec termination on the same physical inteface g0/0/0 to a different customer via a VRF aware Remote access. Two configuration templates were implemented with similar results. IPSec Tunnel comes up fine for the VRF profile but tunnel cannot pass traffic. Ping from IPsec client to an IP address on the Inside network times out and trace route shows that this gets dropped somwhere in the ISP cloud.
    Configuration 1 - Crypto Dynamic Map
    crypto isakmp policy 15
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp client configuration group admin-vpn
    key _____
    pool vpn-pool
    acl VPN-LIST
    crypto isakmp client configuration group centralsTEMP-vpn
    key __________
    pool centrals vpn-pool
    acl VPN-LIST
    crypto isakmp profile softclient
       match identity group admin-vpn
       client authentication list userauth
       isakmp authorization list groupauthor
       client configuration address respond
    crypto isakmp profile centralsoftclient
       vrf Branch
       match identity group branch-vpn
       client authentication list userauth
       isakmp authorization list groupauthor
       client configuration address respond
    crypto ipsec transform-set SECURITYSET esp-aes esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set branchtemp esp-aes esp-md5-hmac
    mode tunnel
    crypto dynamic-map  branchvpn 10
    set transform-set branchtemp
    set isakmp-profile centralsoftclient
    reverse-route
    crypto dynamic-map vpnmap 10
    set transform-set SECURITYSET
    set isakmp-profile softclient
    crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap ---> Normal VPN
    crypto map vpnmap 20 ipsec-isakmp dynamic branchvpn --> IPSec Aware VPN
    crypto map vpnmap
    Configuration 2 - DVTI
    crypto ipsec profile branchclient
    set transform-set branchtemp
    crypto isakmp profile centralsoftclient
       vrf global
       match identity group centralsTEMP-vpn
       client authentication list userauth
       isakmp authorization list groupauthor
       client configuration address respond
       virtual-template 2
    interface Virtual-Template2 type tunnel
    ip vrf forwarding branch
    ip unnumbered GigabitEthernet0/0/0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile branchclient
    Please advise if there is any VPN related configuration issue or a Zone based firewall issue.

    Hi Marcin,
    Thank you very much for your response and actually, we did open a TAC and the problem was resolved using Crypto Map dynamic configurations for both Standard and IPSec aware VPN's. Some specific policies on ZBF were tweaked (for example echo-reply packet inspection was deleted(configured for Pass) and also some access-lists which had unwanted entries  were cleaned up.
    Thanks again for your help.
    Best Regards,
    Mohan

  • VRF-Aware SNMP Monitoring

    Hello,
    I have a few routers w/ VRF-Aware IPsec tunnels. I'm wondering if I can monitor all my tunnels, from all VRFs, with a single SNMP poll? CISCO-IPSEC-FLOW-MONITOR-MIB, CISCO-IPSEC-MIB , and CISCO-IPSEC-POLICY-MAP-MIB do not give me data for the sum all all of my VRFs. Please advise.
    Thanks!
    Lehi

    See http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_iimib.html . Assuming you're running the correct version of code, you can get VRF-aware CISCO-IPSEC-FLOW-MONITOR-MIB and CISCO-IPSEC-MIB support. You will need to make sure you have configured your device to allow for VRF-based SNMP polling. The VRF instances will not show sum totals for the system. To get that, you will need to poll using a non-VRF community string.

  • VRF aware VPN

    Hi,
    I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:
    FVRF=VRF1 and IVRF=global, no VRF
    there  are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I  ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't  receive echo reply
    Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
    11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
    r1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    10.0.0.1        10.0.0.2        QM_IDLE           1003 ACTIVE
    IPv6 Crypto ISAKMP SA
    r1#sh cry
    r1#sh crypto ip
    r1#sh crypto ipsec sa
    interface: GigabitEthernet0/0
        Crypto map tag: MAPA, local addr 10.0.0.1
       protected vrf: FVRF
       local  ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
       current_peer 10.0.0.2 port 500
         PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
         local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
         path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
         current outbound spi: 0xCF660D5A(3479571802)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
          spi: 0x66992BE3(1721314275)
    r1# 
    I added static routes on r1 and r2 but apparently I missed something else:
    r1:
    ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2
    r2:
    ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1
    Any suggestions?
    Hubert

    Hi,
    yes, I have the static route:
    r1#sh run | i route
    ip source-route
    ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.0.2
    r1#sh ip ro
    r1#sh ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is 10.0.0.2 to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 10.0.0.2, GigabitEthernet0/0
          11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        11.11.11.0/24 is directly connected, Loopback1
    L        11.11.11.11/32 is directly connected, Loopback1
    r1#sh ip route vr
    r1#sh ip route vrf FVRF
    Routing Table: FVRF
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is not set
          10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        10.0.0.0/24 is directly connected, GigabitEthernet0/0
    L        10.0.0.1/32 is directly connected, GigabitEthernet0/0
    r1#
    The problem is I can't specify 'global' vrf in the route statement. When I tested a bit different case scenario everything worked fine:
    a) Loop1 (vrf=IVRF) -- gig0/0 (global vrf) <-> gig0/0 (global vrf) -- Loop1 (vrf=IVRF)
      11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
    I just added:
    ip route vrf IVRF 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2 global
    b) With 2 VRFs:
    Loop1 (vrf=IVRF) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (vrf=IVRF)
    11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
    I added:
    ip route vrf FVRF 0.0.0.0 0.0.0.0 10.0.0.1
    ip route vrf IVRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.0.0.1
    So, the problem I have, is only when Loopback interfaces are in global VRF and physical interfaces vrf=FVRF:
    Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
    11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
    I wonder if Cisco supports such scenario.

Maybe you are looking for