Troubles using VRF-aware IPsec w/ crypto maps

I'm trying to get a lab setup to work with a C2951 (15.2(4)M4) peering with an ASA 5510 (9.1(2)). The config is based on crypto maps, since I want the C2951 to be the initiating side, and as far as I understand, VTIs wouldn't be working together with the ASA due to the default 'any' crypto statements that are being applied on SVTIs.
So I've set up this IKEv1-, crypto map-based lab, and the tunnel strictly won't come up; it seems that crypto doesn't find any interesting traffic at all (no debug crypto isakmp output pops up).
What I'm doing for testing is issuing a VRF Ping from a loopback interface of the C2951. I was following the following cheat sheet to configure the IOS box:
https://supportforums.cisco.com/docs/DOC-13524
Please see the attached config files and the setup drawing.
This is the way I'm testing it:
C2951#sh deb
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
C2951#
C2951#ping vrf test 10.0.0.1 source lo 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.0.1
Success rate is 0 percent (0/5)
C2951#
Any hints for me, please?

There are no VRF routes left in the config, and I've cleared the global and the VRF routing table. Even rebooted the box. Still only half of the Pings get answered. There are no crypto ipsec errors, so it should have something to do with routing...but what?
C2951#sh crypto ipsec sa
interface: GigabitEthernet0/0
    Crypto map tag: OUR-MAP, local addr 30.0.0.2
   protected vrf: test
   local ident (addr/mask/prot/port): (40.0.0.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   current_peer 20.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 30.0.0.2, remote crypto endpt.: 20.0.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xEB02ACDA(3942821082)
     PFS (Y/N): Y, DH group: group5
     inbound esp sas:
      spi: 0x1A943A9F(445921951)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 18009, flow_id: ISM VPN:9, sibling_flags 80000040, crypto map: OUR-MAP
        sa timing: remaining key lifetime (k/sec): (4225929/3571)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xEB02ACDA(3942821082)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 18010, flow_id: ISM VPN:10, sibling_flags 80000040, crypto map: OUR-MAP
        sa timing: remaining key lifetime (k/sec): (4225928/3571)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:
C2951#sh ip route 10.0.0.0
% Network not in table
C2951#sh ip route vrf test 10.0.0.0
Routing Table: test
Routing entry for 10.0.0.0/24, 1 known subnets
S        10.0.0.0 [1/0] via 20.0.0.1, GigabitEthernet0/0

Similar Messages

2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput

We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?

Hi Nick,
I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.
We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.
When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [14809800:0]
udp packets: [145107:0]
icmp packets: [20937:12]
I have disabled the ZFW and still see high cpu although it is a little lower.
Packets are not fragmented, CEF and fast switching looks to be enabled. I am using a route-map for my nonats. That is the only thing I can think of now.
I have tried IOS 12.4(20)T3,4 and 12.4(15)T9. Same results.
Anyone have some ideas?

VRF-Aware IPSec for Remote Access

Dear All,
Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?
I am trying to implement this feature on a PE which has MPLS enabled
on the Internet facing interface.
With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.
I will be really grateful for any comment or any pointers for what could
be possibly wrong with the configuration below:
aaa new-model
aaa authentication login USER-AUTHENTICATION local
aaa authorization network GROUP-AUTHORISATION local
crypto keyring test-1
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group test-1
key test-1
domain test.com
pool cpe-1
acl 101
crypto isakmp profile test-1
vrf test-1
keyring test-1
match identity group test-1
client authentication list USER-AUTHENTICATION
isakmp authorization list GROUP-AUTHORISATION
client configuration address initiate
client configuration address respond
client configuration group test-1
crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
crypto dynamic-map test-1 1
set transform-set test-1
set isakmp-profile test-1
reverse-route remote-peer
Internet facing interface
interface GigabitEthernet4/0/0
ip address x.x.x.x 255.255.255.240
ip router isis
mpls ip
crypto map IPSEC-AWARE-VRF
Customer facing interface
interface GigabitEthernet1/0/0.1
encapsulation dot1Q 100
ip vrf forwarding test-1
ip address 110.110.110.1 255.255.255.0
Kind regards,
ZH

Million thanks for this.
This now works after disabling CEF on the public facing interface.
Regards,
Zahid

VRF-Aware IPsec with a Dynamic VTI

Hello
I am trying to configure VRF-aware IPSEC with e Dynamic VTI. I follow the guidelines from the document
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-2mt/sec-ipsec-virt-tunnl.html#GUID-C0A165BF-5866-4B13-BD73-0892B7E65488
Acording to the example: "VRF-Aware IPsec with a Dynamic VTI When VRF is Configured Under an ISAKMP Profile" I should be able to configure both the vrf and virtual-template features under the same crypto isakmp policy.
Unfortunalety, if I try to do that, I receive the following message
R4(conf-isa-prof)#virtual-template 1
% VRF already set for isakmp profile. Virtual Template not allowed
Does anyody know why I am not able to follow the configuration from this example?
My profile confguration, and the virtual-template configuration are as follows
crypto isakmp profile A
   vrf A
   keyring A
   match identity address 192.168.0.2 255.255.255.255
interface Virtual-Template1 type tunnel
ip unnumbered Loopback2
tunnel mode ipsec ipv4
tunnel protection ipsec profile A
I am doing the test on the IOS 12.4(11)XW3 runningon 3725 router.
Thank you in advance for any hints.
Regards
Lukas

Lukas,
I'm not sure but most likely this was not yet supported in 12.4.
The document you refer to is for IOS 15.2. I don't know by heart if your 3715 can run 15.2, otherwise give 15.1(4)Mx a try ?
hth
Herbert

DMVPN + VRF-Aware IPSec

Hi,
Can we club DMVPN and VRF-Aware IPsec features ?
Regards
Mahesh

Million thanks for this.
This now works after disabling CEF on the public facing interface.
Regards,
Zahid

Vrf Aware IPSEC

Hi
i am trying something inline with title mentioned but i m getting stuck up in getting my vpnclient establish the connectivity with my IPE box which is 7206.
i have tried establishing the dynamic ipsec with my 6513 box configured to accept the same where its working fine w/o any issues but my bad luck i dont have a compatible ios to tune my 6513 box to support vrf aware ipsec and since i hv my 7206 supports the same functionality i didnt want 6513 to cater that feature.
i hve even tried the same config of normal plain dynamic ipsec which i hv tried in 6513 switch but still i m getting into the same problem.
i m getting remote peer is no longer responding in my vpn client.
i m attching the config of my ipe box herewith this msg,pls do suggest how do i proceed to make it thru coz i m gone out of ideas and gone totally dry
(coz trying/cracking this continously for hrs together..) :-(
regds

Hi
thx a lot i got it working ,but do revert how come the same is working fine without any issues in my 6513 box without the above mentioned command.thtsy i got stumpeddd :-(
any compatibility issues or any specifics been put to add this syntax in 7206 boxes alone ?coz i m aware of some boxes even in production network running dynamic ipsec stuffs without the above mentioned command..
regds

VRF-aware IPSec Issues

Hello All
I will be grateful if someone can assist me with this please.
I am having issues with this setup and the VPN tunnel shows down. Can someone please advice where i may be going wrong. the test setup as below and i have also attached the current configs.
VPN_RTR#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1.84
Session status: DOWN
Peer: 1.1.1.2 port 500
IPSEC FLOW: permit ip host 10.10.10.1 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Interface: GigabitEthernet0/1.85
Session status: DOWN
Peer: 1.1.1.6 port 500
IPSEC FLOW: permit ip host 10.10.11.1 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

Hello,
Modify your ACL on both routers to identify interesting traffic which will be encrypted, in your case traffic beteen loopbacks in same VRF.
INETSERV1_TEST
ip access-list extended P1-VPN
permit ip host 10.10.10.1 host 192.168.0.1
ip access-list extended P3-VPN
permit ip host 10.10.11.1 host 192.168.1.1
VPN_RTR
ip access-list extended P1-VPN
permit ip host 192.168.0.1 host 10.10.10.1
ip access-list extended P3-VPN
permit ip host 192.168.1.1 host 10.10.11.1
After this change, you should be able to ping between loopbacks.
Best Regards
Please rate all helpful posts and close solved questions

IPSec VRF Aware (Crypto Map)

Hello!
I have some problem with configuring vrf aware Ipsec (Crypto Map).
Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.
Configuration below:
ip vrf outside
rd 1:1
ip vrf inside
rd 2:2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
crypto keyring outside vrf outside
pre-shared-key address 10.10.10.100 key XXXXXX
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile AS_outside
vrf inside
keyring outside
match identity address 10.10.10.100 255.255.255.255 outside
isakmp authorization list default
crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map outside 10 ipsec-isakmp
set peer 10.10.10.100
set security-association idle-time 3600
set transform-set ESP-AES
set pfs group2
set isakmp-profile AS_outside
match address inside_access
ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
ip access-list extended inside_access
permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
vrf outside
interface GigabitEthernet0/0.806
ip vrf forwarding outside
ip address 10.10.10.101 255.255.255.0
crypto-map outside
interface GigabitEthernet0/1.737
ip vrf forwarding inside
ip address 10.6.6.252 255.255.255.248

Hello Frank!
>> 1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
I tried it before. Nothing changes.
>> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
show command below:
ISR-vpn-1#show ip cef vrf inside exact-route 10.6.6.254 10.5.5.1
10.6.6.254 -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal
10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
sources: RIB
feature space:
NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
ifnums:
GigabitEthernet0/0.806(24): 10.10.10.100
path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)

Vrf aware dynamic ipsec

Hi
I need to setup a VRF aware IPSec that can take requests from dynamic (unspecified) sources. This is basically like enabling a home user to connect to his MPLS VPN network with a service provider. Please help with the SP network config, not the CPE.
An appropriate link will also help.

Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
This document helps you configure VRF aware IPSec.
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1158006

VRF-Aware SNMP Monitoring

Hello,
I have a few routers w/ VRF-Aware IPsec tunnels. I'm wondering if I can monitor all my tunnels, from all VRFs, with a single SNMP poll? CISCO-IPSEC-FLOW-MONITOR-MIB, CISCO-IPSEC-MIB , and CISCO-IPSEC-POLICY-MAP-MIB do not give me data for the sum all all of my VRFs. Please advise.
Thanks!
Lehi

See http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_iimib.html . Assuming you're running the correct version of code, you can get VRF-aware CISCO-IPSEC-FLOW-MONITOR-MIB and CISCO-IPSEC-MIB support. You will need to make sure you have configured your device to allow for VRF-based SNMP polling. The VRF instances will not show sum totals for the system. To get that, you will need to poll using a non-VRF community string.

Dynamic L2L in VRF-aware

I have a router in a VRF that does from concentrate for vpn remote router and firewall.
I need to manage access, LAN to LAN VPN with Dynamic ipaddress.
the problem is to discriminate the VRF for the isakmp profile match.
What advice can you give me?I found this attached file to run it?
but I wonder how it is possible to finish in the correct VRF if there is a descriminate? I thought to associate preshareed-key access to different inVRF different:VRF1 presharek 123cisco vrf1-address 0.0.0.0 0.0.0.0
VRF1 presharek 123cisco vrf2-address 0.0.0.0 0.0.0.0

Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
This document helps you configure VRF aware IPSec.
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1158006

Crypto map question

Hi
If I have 2 crypto maps defined on my pix 506E. Traffic of my first crypto map goes for tunnel 1 & traffic of my second interface goes for tunnel2.
I can't apply the command crypto map CCS interface outside & crypto map PLC interface outside.
I am able to apply only one.
How can I do to use both crypto maps?
crypto ipsec transform-set my_PLC esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map PLC 30 ipsec-isakmp
crypto map PLC 30 match address PLC
crypto map PLC 30 set peer 10.10.10.1
crypto map PLC 30 set transform-set my_PLC
crypto map PLC interface outside
isakmp key ******* address 10.10.10.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto ipsec transform-set my_ccs esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map CCS 20 ipsec-isakmp
crypto map CCS 20 match address CCS
crypto map CCS 20 set peer 20.20.20.1
crypto map CCS 20 set transform-set my_ccs
crypto map CCS interface outside
isakmp key ****** address 20.20.20.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

Hi
You can only have one crypto map per interface but you can have separate entries within the same crypto map eg.
crypto map CCS 20 ipsec-isakmp
crypto map CCS 20 match address CCS
crypto map CCS 20 set peer 20.20.20.1
crypto map CCS 20 set transform-set my_ccs
crypto map CCS 30 ipsec-isakmp
crypto map CCS 30 match address PLC
crypto map CCS 30 set peer 10.10.10.1
crypto map CCS 30 set transform-set my_PLC
crypto map CCS interface outside
HTH
Jon

[ERR]crypto map WARNING: This crypto map is incomplete

i have PIX 501 ver6.3(5) when i setup VPN i get this error message
WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
although it seems fine in sh conf command
but tunnel is not started
when i review log i found
sa_request,ISAKMP Phase 1 exchange started

i could successfully establish VPN with another FW cisco 501 6.3
but still can't fix my dilemma which i connect to Huawei Eudemon 500â
sh isakmp
PIX Version 6.3(5)â
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0â
nameif ethernet1 inside security100 â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 â
global (outside) 1 interfaceâ
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac â
crypto ipsec security-association lifetime seconds 3600â
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100â
crypto map outside_map 100 set peer remote peer
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200â
crypto map outside_map interface outside
isakmp enable outside
â â
isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode â
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash shaâ
isakmp policy 20 group 2â
isakmp policy 20 lifetime 86400â
sh crypto map
Crypto Map: "outside_map" interfaces: { outside }â
Crypto Map "outside_map" 100 ipsec-isakmp
Peer = remote peer
access-list outside_cryptomap_100; 2 elementsâ
access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ââ(hitcnt=14) â
access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ââ(hitcnt=6) â
Current peer: remote peer
Security association lifetime: 1843200 kilobytes/3600 secondsâ
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, }â
Crypto Map: "set" interfaces: { }â

Crypto map mymap command I am not familiar with

I have the following commands in a new pix I am taking over and I am not sure what they do?
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
any help would be appreciated

Hi .. they are used for remote VPNs:
1.- crypto map mymap client configuration address initiate
explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will attempt to set IP addresses for each client.
2.- crypto map mymap client configuration address respond
explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will accept requests for IP addresses from any
requesting client.
I hope it helps .. please rate if it does !!

Crypto map incomplete

I have PIX 515 and trying to add a gateway to gateway VPN tunnel with dynamic IP. I already have two other VPN tunnels configured with static IP. I enter the access-list 110 than the crypto map mymap 20 ipsec-isakmp no problem. than the crypto map mymap 20 match address 101 I get error message Crypto map incomplete. Why am I getting this error and how do I get around it. Thanks.

Yes I have an Incomplete.
crypto ipsec transform-set tr-set esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set tr-set
crypto dynamic-map dynmap 15 set transform-set tr-set
crypto dynamic-map dynmap 15 set security-association lifetime seconds 3600 kilo
bytes 4608000
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer 70.106.123.11
crypto map mymap 10 set transform-set tr-set
crypto map mymap 15 ipsec-isakmp
crypto map mymap 15 match address 105
crypto map mymap 15 set peer 67.100.146.217
crypto map mymap 15 set transform-set tr-set
crypto map mymap 20 ipsec-isakmp
! Incomplete
crypto map mymap 6335 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

Troubles using VRF-aware IPsec w/ crypto maps

Similar Messages

Maybe you are looking for