VRF aware Remote Access on ZBF

Hello,
In our environment we have a Zone based firewall on CIsco ASR 1000 XE router, terminating normal IPsec VPN sessions on ZBF. The router has one outgoing physical interface (g0/0/0) connected to ISP as outside Interface and multiple Interfaces on the Inside network on Port channels VLAN/VRF.
The remote access VPN (Easy VPN) is applied using crypto map configuration on the interface connected to ISP.
Now, there was also a requirement to provide IPSec termination on the same physical inteface g0/0/0 to a different customer via a VRF aware Remote access. Two configuration templates were implemented with similar results. IPSec Tunnel comes up fine for the VRF profile but tunnel cannot pass traffic. Ping from IPsec client to an IP address on the Inside network times out and trace route shows that this gets dropped somwhere in the ISP cloud.
Configuration 1 - Crypto Dynamic Map
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group admin-vpn
key _____
pool vpn-pool
acl VPN-LIST
crypto isakmp client configuration group centralsTEMP-vpn
key __________
pool centrals vpn-pool
acl VPN-LIST
crypto isakmp profile softclient
   match identity group admin-vpn
   client authentication list userauth
   isakmp authorization list groupauthor
   client configuration address respond
crypto isakmp profile centralsoftclient
   vrf Branch
   match identity group branch-vpn
   client authentication list userauth
   isakmp authorization list groupauthor
   client configuration address respond
crypto ipsec transform-set SECURITYSET esp-aes esp-md5-hmac
mode tunnel
crypto ipsec transform-set branchtemp esp-aes esp-md5-hmac
mode tunnel
crypto dynamic-map  branchvpn 10
set transform-set branchtemp
set isakmp-profile centralsoftclient
reverse-route
crypto dynamic-map vpnmap 10
set transform-set SECURITYSET
set isakmp-profile softclient
crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap ---> Normal VPN
crypto map vpnmap 20 ipsec-isakmp dynamic branchvpn --> IPSec Aware VPN
crypto map vpnmap
Configuration 2 - DVTI
crypto ipsec profile branchclient
set transform-set branchtemp
crypto isakmp profile centralsoftclient
   vrf global
   match identity group centralsTEMP-vpn
   client authentication list userauth
   isakmp authorization list groupauthor
   client configuration address respond
   virtual-template 2
interface Virtual-Template2 type tunnel
ip vrf forwarding branch
ip unnumbered GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile branchclient
Please advise if there is any VPN related configuration issue or a Zone based firewall issue.

Hi Marcin,
Thank you very much for your response and actually, we did open a TAC and the problem was resolved using Crypto Map dynamic configurations for both Standard and IPSec aware VPN's. Some specific policies on ZBF were tweaked (for example echo-reply packet inspection was deleted(configured for Pass) and also some access-lists which had unwanted entries  were cleaned up.
Thanks again for your help.
Best Regards,
Mohan

Similar Messages

  • VRF-Aware IPSec for Remote Access

    Dear All,
    Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?
    I am trying to implement this feature on a PE which has MPLS enabled
    on the Internet facing interface.
    With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.
    I will be really grateful for any comment or any pointers for what could
    be possibly wrong with the configuration below:
    aaa new-model
    aaa authentication login USER-AUTHENTICATION local
    aaa authorization network GROUP-AUTHORISATION local
    crypto keyring test-1
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group test-1
    key test-1
    domain test.com
    pool cpe-1
    acl 101
    crypto isakmp profile test-1
    vrf test-1
    keyring test-1
    match identity group test-1
    client authentication list USER-AUTHENTICATION
    isakmp authorization list GROUP-AUTHORISATION
    client configuration address initiate
    client configuration address respond
    client configuration group test-1
    crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
    ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
    crypto dynamic-map test-1 1
    set transform-set test-1
    set isakmp-profile test-1
    reverse-route remote-peer
    Internet facing interface
    interface GigabitEthernet4/0/0
    ip address x.x.x.x 255.255.255.240
    ip router isis
    mpls ip
    crypto map IPSEC-AWARE-VRF
    Customer facing interface
    interface GigabitEthernet1/0/0.1
    encapsulation dot1Q 100
    ip vrf forwarding test-1
    ip address 110.110.110.1 255.255.255.0
    Kind regards,
    ZH

    Million thanks for this.
    This now works after disabling CEF on the public facing interface.
    Regards,
    Zahid

  • Dynamic L2L in VRF-aware

    I have a  router in a VRF that does from concentrate for vpn remote router and firewall.
    I need to  manage access, LAN to LAN VPN with Dynamic ipaddress.
    the problem is to discriminate the VRF for  the isakmp  profile match.
    What  advice can you give  me?I found this attached file to run it?
    but I  wonder how it is  possible to  finish in the  correct VRF if there is a descriminate? I thought to associate preshareed-key access to different inVRF different:VRF1 presharek 123cisco vrf1-address 0.0.0.0 0.0.0.0
    VRF1 presharek 123cisco vrf2-address 0.0.0.0 0.0.0.0

    Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
    One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
    This document helps you configure VRF aware IPSec.
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1158006

  • Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

    Hii frnds,
    here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
    Below is the out put from the router
    r1#sh run
    Building configuration...
    Current configuration : 3488 bytes
    ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
    ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
    version 15.1
    service config
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname r1
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
    aaa new-model
    aaa authentication login local-console local
    aaa authentication login userauth local
    aaa authorization network groupauth local
    aaa session-id common
    dot11 syslog
    ip source-route
    ip cef
    ip domain name r1.com
    multilink bundle-name authenticated
    license udi pid CISCO1841 sn FHK145171DM
    username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
    username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
    redundancy
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group ra-vpn
    key xxxxxx
    domain r1.com
    pool vpn-pool
    acl 150
    save-password
      include-local-lan
    max-users 10
    crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
    crypto dynamic-map RA 1
    set transform-set my-vpn
    reverse-route
    crypto map ra-vpn client authentication list userauth
    crypto map ra-vpn isakmp authorization list groupauth
    crypto map ra-vpn client configuration address respond
    crypto map ra-vpn 1 ipsec-isakmp dynamic RA
    interface Loopback0
    ip address 10.2.2.2 255.255.255.255
    interface FastEthernet0/0
    bandwidth 8000000
    ip address 117.239.xx.xx 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map ra-vpn
    interface FastEthernet0/1
    description $ES_LAN$
    ip address 192.168.10.252 255.255.255.0 secondary
    ip address 10.10.10.1 255.255.252.0 secondary
    ip address 172.16.0.1 255.255.252.0 secondary
    ip address 10.10.7.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip local pool vpn-pool 172.18.1.1   172.18.1.100
    ip forward-protocol nd
    ip http server
    ip http authentication local
    no ip http secure-server
    ip dns server
    ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
    ip nat inside source list 100 pool INTERNETPOOL overload
    ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
    access-list 100 permit ip 10.10.7.0 0.0.0.255 any
    access-list 100 permit ip 10.10.10.0 0.0.1.255 any
    access-list 100 permit ip 172.16.0.0 0.0.3.255 any
    access-list 100 permit ip 192.168.10.0 0.0.0.255 any
    access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
    access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
    access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
    control-plane
    line con 0
    login authentication local-console
    line aux 0
    line vty 0 4
    login authentication local-console
    transport input telnet ssh
    scheduler allocate 20000 1000
    end
    r1>sh ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
          10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
    C        10.2.2.2/32 is directly connected, Loopback0
    C        10.10.7.0/24 is directly connected, FastEthernet0/1
    L        10.10.7.1/32 is directly connected, FastEthernet0/1
    C        10.10.8.0/22 is directly connected, FastEthernet0/1
    L        10.10.10.1/32 is directly connected, FastEthernet0/1
          117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
    L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
          172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
    C        172.16.0.0/22 is directly connected, FastEthernet0/1
    L        172.16.0.1/32 is directly connected, FastEthernet0/1
          172.18.0.0/32 is subnetted, 1 subnets
    S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
          192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
    C        192.168.10.0/24 is directly connected, FastEthernet0/1
    L        192.168.10.252/32 is directly connected, FastEthernet0/1
    r1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
    IPv6 Crypto ISAKMP SA
    r1 #sh crypto ipsec sa
    interface: FastEthernet0/0
        Crypto map tag: giet-vpn, local addr 117.239.xx.xx
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
       current_peer 49.206.59.86 port 50083
         PERMIT, flags={}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
         local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0x550E70F9(1427009785)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
          spi: 0x5668C75(90606709)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550169/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
          spi: 0x550E70F9(1427009785)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550170/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         outbound ah sas:
         outbound pcp sas:

    hi  Maximilian Schojohann..
    First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
    In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
    so plz give me an alternate solution ....thanks in advance....

  • FAQ: DPA - Remote Access for test systems

    Welcome to DPA - Remote Access for test systems forum!
    This forum is actively monitored and moderated by SAP Integration and Certification Center (ICC).
    Frequently Asked Questions:
    ======================================
    Q1: Where can I learn more about Developer Package Service (DPA)?
    Q2: How can I apply for the regular DPA service?
    Q3. How many SAP systems can I access under the regular DPA service?
    Q4. How can I have access to a non-shared SAP system?
    ======================================
    Q1: Where can I learn more about Developer Package Service (DPA)?
    A: Please take a look at ICC's web page on SDN:
    https://www.sdn.sap.com/irj/sdn?rid=/webcontent/uuid/15330f73-0501-0010-d59e-8a32e220b2ed [original link is broken]
    Q2: How can I apply for the regular DPA service?
    A: Please go to http://www.sap.com/partners/apply and fill out the application form.
    Q3. How many SAP systems can I access under the regular DPA service?
    A: Up to 3 SAP systems, which are shared among all DPA users.
    Q4. How can I have access to a non-shared SAP system?
    A: Please go to http://www.sap.com/partners/apply and apply for the exclusive-use DPA service.
    Message was edited by: Chung-Ho Fan

    https://discussions.apple.com/thread/5294202?tstart=0
    Something you should be aware of is the frequency of IP address change at your father's location. Providers of residential broadband services lease an IP address for a certain duration which you have no control over and is purely arbitrary. You may be familiar with these changes?
    The point is sometimes these addresses change regularly (4 hours to every few days) and sometimes they stay the same for a longer period of time such as a year or more.
    Because of the nature of this change you may find you can remote assist your father one day but not the next. The situation is easily rectified with a simple phonecall to your father. He can tell you what IP address he's using by launching his browser and clicking this link:
    http://myipaddress.com
    He gives you his new IP address and you should be able to make a successful connection again.
    Be aware IP addresses handed out by ISPs are known as routable. IP addresses handed out by Firewalls/Routers/Gateway devices such as Apple's Airport Express Base Station etc are not routable. Assuming you've not changed anything in the devices they will always be one of these three ranges: 192.168.1.x; 10.x.x.x and 172.16.16.x. You don't use any of these last three group of addresses to make the connection over the public external (internet) network but you do use them when on the same private internal network.

  • What is the best way to remotely access my sister in laws Mac who lives in another city to help her with her computer problems?

    as stated above
    What is the best way to remotely access my sister in laws Mac who lives in another city to help her with her computer problems?

    The best way? Get her to bring it to you, especially if she makes good cakes.
    Apples Back to my Mac isn't really suitable for this - it is designed for a single person who wants their Apple ID on the system. It would mean she would have to share hers with you & you would also have to setup her Apple ID on your Mac - it is messy & causes trouble with iCloud, iTunes etc.
    You can try Messages if she is able to begin a session with you, see the 'invite to share screen' in the menus, weirdly you need to use a service that isn't from Apple.
    Messages (Mavericks): Share your screen
    It may be better if you to setup LogMeIn or GoToMyPC. They should 'dial out' & maintain a constant connection so you can login whenever the Mac is powered up. It won't, require a human to initiate the process at the other end, just be aware that the router may cause issues depending on what is configured, you may need settings to enable automatic port forwarding - it really depend on which option you choose.

  • [SOLVED] Cups 2.0 remote access issues

    After CUPS recent upgrade to 2.0 both my cups server and client stopped working. In particular, I cannot even get to the administration pages from remote access.
    I can get to CUPS's  home page, but I get an error as soon as I try to access any other page. The error I get in the browser (firefox) is
    Unable to connect
    Firefox can't establish a connection to the server at ....
    Following wiki instructions, in my cupsd.conf file I have replaced the standard
    Listen localhost:631
    with the ip range for the local network
    Listen 192.168.0.0/24:631
    and I have added
    <Location />
    Order allow,deny
    Allow from @LOCAL
    </Location>
    # Restrict access to the admin pages...
    <Location /admin>
    Order allow,deny
    Allow from @LOCAL
    </Location>
    # Restrict access to configuration files...
    <Location /admin/conf>
    AuthType Basic
    Require user @SYSTEM
    Order allow,deny
    Allow From @LOCAL
    </Location>
    DefaultEncription Never
    Unfortunately, nothing has changed. I still get the same error in the browser and I cannot access the admin pages (or any page other than the home page).
    Help is greatly appreciated.
    Stefano
    Last edited by stefano (2014-11-08 15:27:03)

    clfarron4 wrote:
    Guzzista wrote:
    Same here, I discovered my file sshd.service disappeared on the server. I get the error
    # systemctl start cupsd
    Failed to start cupsd.service: Unit cupsd.service failed to load: No such file or directory.
    Don't know how to solve for now
    Unless it's a custom service file your relying on, the service has been re-named.
    Unfortunately, that's not where my problem lies. I was aware of the renaming issue and had acted accordingly.
    Still looking for solutions.
    S.

  • VRF-Aware WCCP

    I want to put one Cache-Engine at PE router to provide caching services for different VPNs.
    Customer will have Separate VPN to access Internet, Cache-engine is put at common VRF & accesible from Customer sites in different VPNs
    Can't find any related document, & don't have Lab to test. Anyone experience this, please confirm for me.
    Thanks a lot
    Long

    The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
    It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
    at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
    Kindly find here GRE Tunnel with VRF Configuration Example:
    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
    I have gotten as far as the WAE registering the router:
    "WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
    WCCP configuration for TCP Promiscuous succeeded.Please remember to
    configure WCCP service 61 and 62 on the corresponding router."
    wae01#sh wccp router
    Router Information for Service: TCP Promiscuous 61
    Routers Configured and Seeing this Wide Area Engine(1)
    Router Id Sent To Recv ID
    0.0.0.0 209.1.1.1 0000022F
    The router registers the WAE as a WCCP client:
    router04#
    "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
    client 209.1.1.2"
    "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
    client 209.1.1.2"
    The router however cannot figure out what its ID is and does not see
    itself as a WCCP group router.
    router04#sh ip wccp
    Global WCCP information:
    Router information:
    Router Identifier: -not yet determined-
    Protocol Version: 2.0
    Service Identifier: 61
    Number of Service Group Clients: 1
    Number of Service Group Routers: 0
    Total Packets s/w Redirected: 0
    Process: 0
    Fast: 0
    CEF: 0
    Redirect access-list: ACCELERATED-TRAFFIC
    Total Packets Denied Redirect: 0
    Total Packets Unassigned: 25957
    Group access-list: -none-
    Total Messages Denied to Group: 0
    Total Authentication failures: 0
    Total Bypassed Packets Received: 0
    This is a short summary of important commands for working with VRF's.
    View the VRF instances and the associated interfaces.
    ml-mr-c6-gs#show ip vrf
    Name Default RD Interfaces
    blurvrf 100:2 Vlan215
    Vlan326
    tgvrf 100:1 Vlan132
    Vlan325
    TenGigabitEthernet1/1
    ml-mr-c6-gs#
    Show the routing table for a specific VRF.
    ml-mr-c6-gs#show ip route vrf tgvrf
    Routing Table: tgvrf
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external,
    ---More--
    Gateway of last resort is 128.117.243.57 to network 0.0.0.0
    O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
    O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
    172.17.0.0/29 is subnetted, 3 subnets
    O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
    O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
    O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
    --More--
    Debugging should otherwise be similar to a regular switch or router.
    Final Teragrid VRF Design and Diagrams
    http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
    Teragrid Testbed Design
    http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
    Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
    Configuring VRF-Lite
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
    sachin garg

  • VRF Aware WCCP !!!!!! PLEASE!!!!!!

    I am looking for a forcast of when WCCP will have VRF support. Head-End scalability is pretty tough to achieve with out it. ywa I can stack WAE's ( up to 32) in a WCCP service group but if the Edge WAE's are in A VRF, it breaks.
    Any Ideas?

    The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
    It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
    at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
    Kindly find here GRE Tunnel with VRF Configuration Example:
    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
    I have gotten as far as the WAE registering the router:
    "WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
    WCCP configuration for TCP Promiscuous succeeded.Please remember to
    configure WCCP service 61 and 62 on the corresponding router."
    wae01#sh wccp router
    Router Information for Service: TCP Promiscuous 61
    Routers Configured and Seeing this Wide Area Engine(1)
    Router Id Sent To Recv ID
    0.0.0.0 209.1.1.1 0000022F
    The router registers the WAE as a WCCP client:
    router04#
    "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
    client 209.1.1.2"
    "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
    client 209.1.1.2"
    The router however cannot figure out what its ID is and does not see
    itself as a WCCP group router.
    router04#sh ip wccp
    Global WCCP information:
    Router information:
    Router Identifier: -not yet determined-
    Protocol Version: 2.0
    Service Identifier: 61
    Number of Service Group Clients: 1
    Number of Service Group Routers: 0
    Total Packets s/w Redirected: 0
    Process: 0
    Fast: 0
    CEF: 0
    Redirect access-list: ACCELERATED-TRAFFIC
    Total Packets Denied Redirect: 0
    Total Packets Unassigned: 25957
    Group access-list: -none-
    Total Messages Denied to Group: 0
    Total Authentication failures: 0
    Total Bypassed Packets Received: 0
    This is a short summary of important commands for working with VRF's.
    View the VRF instances and the associated interfaces.
    ml-mr-c6-gs#show ip vrf
    Name Default RD Interfaces
    blurvrf 100:2 Vlan215
    Vlan326
    tgvrf 100:1 Vlan132
    Vlan325
    TenGigabitEthernet1/1
    ml-mr-c6-gs#
    Show the routing table for a specific VRF.
    ml-mr-c6-gs#show ip route vrf tgvrf
    Routing Table: tgvrf
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external,
    ---More--
    Gateway of last resort is 128.117.243.57 to network 0.0.0.0
    O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
    O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
    172.17.0.0/29 is subnetted, 3 subnets
    O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
    O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
    O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
    --More--
    Debugging should otherwise be similar to a regular switch or router.
    Final Teragrid VRF Design and Diagrams
    http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
    Teragrid Testbed Design
    http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
    Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
    Configuring VRF-Lite
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
    sachin garg

  • VRF Aware DVTI and PKI

    Hi,
    i´ve try to get an dynamic VTI with VRF Aware on the HUB Router and PKI for Authentication.
    My Problem is, that Phase1 works fine, but Phase2 doesn´t came up.
    debug crypto isakmp
    Feb  7 09:46:09.439: ISAKMP:(20175): IPSec policy invalidated proposal with error 32
    Feb  7 09:46:09.439: ISAKMP:(20175): phase 2 SA policy not acceptable! (local a.b.c.d remote e.f.g.h)
    The proposals are OK.
    Here are the config parts.
    crypto isakmp profile P1
       ca trust-point VPN
       match certificate CERMAP1
       virtual-template 11
    crypto ipsec profile P1
    set transform-set AES256
    set isakmp-profile P1
    interface Virtual-Template11 type tunnel
    vrf forwarding <VRF Name>
    ip unnumbered Loopback0
    ip virtual-reassembly in
    tunnel mode ipsec ipv4
    tunnel vrf OUTSIDE_VTI
    tunnel protection ipsec profile P1
    Have any one of you a working configuration with this parameters or an idea, what i can do ?
    The Virtual-Template Interface ist up/down and no interface virtual-acces was created.
    Many Thanks !!!

    This is the output from debug crypto isakmp....
    Feb 7 18:41:37.048: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (N) NEW SA
    Feb 7 18:41:37.048: ISAKMP: Created a peer struct for a.b.c.d, peer port 500
    Feb 7 18:41:37.048: ISAKMP: New peer created peer = 0x3D83A580 peer_handle = 0x8000025B
    Feb 7 18:41:37.048: ISAKMP: Locking peer struct 0x3D83A580, refcount 1 for crypto_isakmp_process_block
    Feb 7 18:41:37.048: ISAKMP: local port 500, remote port 500
    Feb 7 18:41:37.048: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2107EC78
    Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
    Feb 7 18:41:37.048: ISAKMP:(0): processing SA payload. message ID = 0
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
    Feb 7 18:41:37.048: ISAKMP : Scanning profiles for xauth ... RTR2
    Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Feb 7 18:41:37.048: ISAKMP: encryption AES-CBC
    Feb 7 18:41:37.048: ISAKMP: keylength of 256
    Feb 7 18:41:37.048: ISAKMP: hash SHA
    Feb 7 18:41:37.048: ISAKMP: default group 2
    Feb 7 18:41:37.048: ISAKMP: auth RSA sig
    Feb 7 18:41:37.048: ISAKMP: life type in seconds
    Feb 7 18:41:37.048: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    Feb 7 18:41:37.048: ISAKMP:(0):atts are acceptable. Next payload is 0
    Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:actual life: 0
    Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:life: 0
    Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa vpi_length:4
    Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0):Returning Actual lifetime: 86400
    Feb 7 18:41:37.048: ISAKMP:(0)::Started lifetime timer: 86400.
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
    Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
    Feb 7 18:41:37.048: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Feb 7 18:41:37.048: ISAKMP:(0): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_SA_SETUP
    Feb 7 18:41:37.048: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
    Feb 7 18:41:37.088: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (R) MM_SA_SETUP
    Feb 7 18:41:37.092: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Feb 7 18:41:37.092: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
    Feb 7 18:41:37.092: ISAKMP:(0): processing KE payload. message ID = 0
    Feb 7 18:41:37.092: ISAKMP:(0): processing NONCE payload. message ID = 0
    Feb 7 18:41:37.092: ISAKMP:(20308): processing CERT_REQ payload. message ID = 0
    Feb 7 18:41:37.092: ISAKMP:(20308): peer wants a CT_X509_SIGNATURE cert
    Feb 7 18:41:37.092: ISAKMP:(20308): peer wants cert issued by cn=RTR1,o=company,c=de
    Feb 7 18:41:37.092: Choosing trustpoint VPN as issuer
    Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
    Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is DPD
    Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
    Feb 7 18:41:37.092: ISAKMP:(20308): speaking to another IOS box!
    Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
    Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID seems Unity/DPD but major 28 mismatch
    Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is XAUTH
    Feb 7 18:41:37.092: ISAKMP:received payload type 20
    Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
    Feb 7 18:41:37.092: ISAKMP:received payload type 20
    Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
    Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM3
    Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP (20308): constructing CERT_REQ for issuer cn=RTR1,o=company,c=de
    Feb 7 18:41:37.092: ISAKMP:(20308): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_KEY_EXCH
    Feb 7 18:41:37.092: ISAKMP:(20308):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM4
    Feb 7 18:41:37.164: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) MM_KEY_EXCH
    Feb 7 18:41:37.164: ISAKMP:(20308):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Feb 7 18:41:37.164: ISAKMP:(20308):Old State = IKE_R_MM4 New State = IKE_R_MM5
    Feb 7 18:41:37.164: ISAKMP:(20308): processing ID payload. message ID = 0
    Feb 7 18:41:37.164: ISAKMP (20308): ID payload
    next-payload : 6
    type : 2
    FQDN name : RTR2.customer.de
    protocol : 17
    port : 0
    length : 30
    Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
    Feb 7 18:41:37.164: ISAKMP:(20308): processing CERT payload. message ID = 0
    Feb 7 18:41:37.164: ISAKMP:(20308): processing a CT_X509_SIGNATURE cert
    Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): peer's pubkey is cached
    Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
    Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): Unable to get DN from certificate!
    Feb 7 18:41:37.168: ISAKMP:(20308): processing SIG payload. message ID = 0
    Feb 7 18:41:37.168: ISAKMP:(20308): processing NOTIFY INITIAL_CONTACT protocol 1
    spi 0, message ID = 0, sa = 0x2107EC78
    Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
    authenticated
    Feb 7 18:41:37.168: ISAKMP:(20308):SA has been authenticated with a.b.c.d
    Feb 7 18:41:37.168: ISAKMP:(20308):Detected port floating to port = 20962
    Feb 7 18:41:37.168: ISAKMP: Trying to find existing peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI
    Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
    authenticated
    Feb 7 18:41:37.168: ISAKMP:(20308): Process initial contact,
    bring down existing phase 1 and 2 SA's with local e.f.g.h remote a.b.c.d remote port 20962
    Feb 7 18:41:37.168: ISAKMP: Trying to insert a peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI, and inserted successfully 3D83A580.
    Feb 7 18:41:37.168: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Feb 7 18:41:37.168: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_R_MM5
    Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308):My ID configured as IPv4 Addr, but Addr not in Cert!
    Feb 7 18:41:37.168: ISAKMP:(20308):Using FQDN as My ID
    Feb 7 18:41:37.168: ISAKMP:(20308):SA is doing RSA signature authentication using id type ID_FQDN
    Feb 7 18:41:37.168: ISAKMP (20308): ID payload
    next-payload : 6
    type : 2
    FQDN name : RTR1.company.de
    protocol : 17
    port : 0
    length : 26
    Feb 7 18:41:37.168: ISAKMP:(20308):Total payload length: 26
    Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.172: ISAKMP:(20308): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.172: ISAKMP (20308): constructing CERT payload for hostname=RTR1.company.de,cn=RTR1,o=company,c=DE
    Feb 7 18:41:37.172: ISAKMP:(20308): using the VPN trustpoint's keypair to sign
    Feb 7 18:41:37.176: ISKAMP: growing send buffer from 1024 to 3072
    Feb 7 18:41:37.176: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) MM_KEY_EXCH
    Feb 7 18:41:37.180: ISAKMP:(20308):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
    Feb 7 18:41:37.180: ISAKMP:(20308): IKE->PKI End PKI Session state (R) QM_IDLE (peer a.b.c.d)
    Feb 7 18:41:37.180: ISAKMP:(20308): PKI->IKE Ended PKI session state (R) QM_IDLE (peer a.b.c.d)
    Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    Feb 7 18:41:37.208: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) QM_IDLE
    Feb 7 18:41:37.208: ISAKMP: set new node -1302683506 to QM_IDLE
    Feb 7 18:41:37.212: ISAKMP:(20308): processing HASH payload. message ID = 2992283790
    Feb 7 18:41:37.212: ISAKMP:(20308): processing SA payload. message ID = 2992283790
    Feb 7 18:41:37.212: ISAKMP:(20308):Checking IPSec proposal 1
    Feb 7 18:41:37.212: ISAKMP: transform 1, ESP_AES
    Feb 7 18:41:37.212: ISAKMP: attributes in transform:
    Feb 7 18:41:37.212: ISAKMP: encaps is 3 (Tunnel-UDP)
    Feb 7 18:41:37.212: ISAKMP: SA life type in seconds
    Feb 7 18:41:37.212: ISAKMP: SA life duration (basic) of 3600
    Feb 7 18:41:37.212: ISAKMP: SA life type in kilobytes
    Feb 7 18:41:37.212: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
    Feb 7 18:41:37.212: ISAKMP: authenticator is HMAC-SHA
    Feb 7 18:41:37.212: ISAKMP: key length is 256
    Feb 7 18:41:37.212: ISAKMP:(20308):atts are acceptable.
    Feb 7 18:41:37.212: ISAKMP:(20308): IPSec policy invalidated proposal with error 32
    Feb 7 18:41:37.212: ISAKMP:(20308): phase 2 SA policy not acceptable! (local e.f.g.h remote a.b.c.d)
    Feb 7 18:41:37.212: ISAKMP: set new node -809943149 to QM_IDLE
    Feb 7 18:41:37.212: ISAKMP:(20308):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 573410632, message ID = 3485024147
    Feb 7 18:41:37.212: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) QM_IDLE
    Feb 7 18:41:37.212: ISAKMP:(20308):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.212: ISAKMP:(20308):purging node -809943149
    Feb 7 18:41:37.212: ISAKMP:(20308):deleting node -1302683506 error TRUE reason "QM rejected"

  • Vrf Aware IPSEC

    Hi
    i am trying something inline with title mentioned but i m getting stuck up in getting my vpnclient establish the connectivity with my IPE box which is 7206.
    i have tried establishing the dynamic ipsec with my 6513 box configured to accept the same where its working fine w/o any issues but my bad luck i dont have a compatible ios to tune my 6513 box to support vrf aware ipsec and since i hv my 7206 supports the same functionality i didnt want 6513 to cater that feature.
    i hve even tried the same config of normal plain dynamic ipsec which i hv tried in 6513 switch but still i m getting into the same problem.
    i m getting remote peer is no longer responding in my vpn client.
    i m attching the config of my ipe box herewith this msg,pls do suggest how do i proceed to make it thru coz i m gone out of ideas and gone totally dry
    (coz trying/cracking this continously for hrs together..) :-(
    regds

    Hi
    thx a lot i got it working ,but do revert how come the same is working fine without any issues in my 6513 box without the above mentioned command.thtsy i got stumpeddd :-(
    any compatibility issues or any specifics been put to add this syntax in 7206 boxes alone ?coz i m aware of some boxes even in production network running dynamic ipsec stuffs without the above mentioned command..
    regds

  • VRF aware VPN

    Hi,
    I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:
    FVRF=VRF1 and IVRF=global, no VRF
    there  are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I  ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't  receive echo reply
    Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
    11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
    r1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    10.0.0.1        10.0.0.2        QM_IDLE           1003 ACTIVE
    IPv6 Crypto ISAKMP SA
    r1#sh cry
    r1#sh crypto ip
    r1#sh crypto ipsec sa
    interface: GigabitEthernet0/0
        Crypto map tag: MAPA, local addr 10.0.0.1
       protected vrf: FVRF
       local  ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
       current_peer 10.0.0.2 port 500
         PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
         local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
         path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
         current outbound spi: 0xCF660D5A(3479571802)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
          spi: 0x66992BE3(1721314275)
    r1# 
    I added static routes on r1 and r2 but apparently I missed something else:
    r1:
    ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2
    r2:
    ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1
    Any suggestions?
    Hubert

    Hi,
    yes, I have the static route:
    r1#sh run | i route
    ip source-route
    ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.0.2
    r1#sh ip ro
    r1#sh ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is 10.0.0.2 to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 10.0.0.2, GigabitEthernet0/0
          11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        11.11.11.0/24 is directly connected, Loopback1
    L        11.11.11.11/32 is directly connected, Loopback1
    r1#sh ip route vr
    r1#sh ip route vrf FVRF
    Routing Table: FVRF
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is not set
          10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        10.0.0.0/24 is directly connected, GigabitEthernet0/0
    L        10.0.0.1/32 is directly connected, GigabitEthernet0/0
    r1#
    The problem is I can't specify 'global' vrf in the route statement. When I tested a bit different case scenario everything worked fine:
    a) Loop1 (vrf=IVRF) -- gig0/0 (global vrf) <-> gig0/0 (global vrf) -- Loop1 (vrf=IVRF)
      11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
    I just added:
    ip route vrf IVRF 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2 global
    b) With 2 VRFs:
    Loop1 (vrf=IVRF) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (vrf=IVRF)
    11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
    I added:
    ip route vrf FVRF 0.0.0.0 0.0.0.0 10.0.0.1
    ip route vrf IVRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.0.0.1
    So, the problem I have, is only when Loopback interfaces are in global VRF and physical interfaces vrf=FVRF:
    Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
    11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
    I wonder if Cisco supports such scenario.

  • IPSec VRF Aware (Crypto Map)

    Hello!
    I have some problem with configuring vrf aware Ipsec (Crypto Map).
    Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.  
    Configuration below:
    ip vrf outside
     rd 1:1
    ip vrf inside
     rd 2:2
    track 10 ip sla 10 reachability
    ip sla schedule 10 life forever start-time now
    crypto keyring outside vrf outside 
      pre-shared-key address 10.10.10.100 key XXXXXX
    crypto isakmp policy 20
     encr aes 256
     authentication pre-share
     group 2
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 10 periodic
    crypto isakmp profile AS_outside
       vrf inside
       keyring outside
       match identity address 10.10.10.100 255.255.255.255 outside
       isakmp authorization list default
    crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac 
     mode tunnel
    crypto ipsec df-bit clear
    crypto map outside 10 ipsec-isakmp 
     set peer 10.10.10.100
     set security-association idle-time 3600
     set transform-set ESP-AES 
     set pfs group2
     set isakmp-profile AS_outside
     match address inside_access
    ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
    ip access-list extended inside_access
     permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
    icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
     vrf outside
    interface GigabitEthernet0/0.806
    ip vrf forwarding outside
    ip address 10.10.10.101 255.255.255.0
    crypto-map outside
    interface GigabitEthernet0/1.737
    ip vrf forwarding inside
    ip address 10.6.6.252 255.255.255.248

    Hello Frank!
    >>  1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
    I tried it before. Nothing changes.
    >> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
    It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
    show command below:
    ISR-vpn-1#show ip cef vrf inside exact-route  10.6.6.254 10.5.5.1
     10.6.6.254  -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
    ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal                
    10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
      sources: RIB 
      feature space:
       NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
      ifnums:
       GigabitEthernet0/0.806(24): 10.10.10.100
      path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
      nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
      output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)

  • Remote access via internet

    Have an Vitek DVR with several cameras and after correctly configuring port forwarding on the router and input the IP to the DVR, I am able to view the camera pictures without any problems on the MacBook Pro. However, being able to view the camera results from the IPHONE via remote access, through Safari, requires an APP. Having tried the VITEK DVRViewer app, and half a dozen other apps, I am unable to connect via the iphone. I contacted VITEK and was informed that they are aware of the problem, which they say is due from the IOS6 update, an updated app was submitted to Apple for approval, which would solve the issue.
    I have found many hits on the YouTube with the same issues. Does anyone know of a solution, or if they were told by VITEK of the same solution?
    Thank you

    This would not seem to be an issue with Apple Remote Desktop, Apple's software for managing networked Macs and the topic of this forum. I'd suggest you take this up in the iPhone forum, where you'll be more likely to encounter someone attempting to run the same app and hence provide suggestions.
    Regards.

  • Setting up remote access for support

    Need to set up remote support for my Dad's iMac. He has an airport express connected to an optonline cable modem. I have an airport connected to a charter cable modem.
    Both systems are running Mavericks. I have the latest remote access app.
    I tried this a year ago and could connect to him when I was on his local network but not when I was at home. Since then everything has been updated. I will be visiting him in a few week and could do any set up on his system.
    I read the admin guide but it's still to confusing to me. I am able to set up and connect to computers on my local network ok.
    Will ARA be able to do this? Do I need any further software? logmeon, etc?
    Any tips on creating a client installer to use when I am there? I will be using his user account.
    Do any changes need to be made to the routers to get through them?
    Could use some help here. Thanks

    https://discussions.apple.com/thread/5294202?tstart=0
    Something you should be aware of is the frequency of IP address change at your father's location. Providers of residential broadband services lease an IP address for a certain duration which you have no control over and is purely arbitrary. You may be familiar with these changes?
    The point is sometimes these addresses change regularly (4 hours to every few days) and sometimes they stay the same for a longer period of time such as a year or more.
    Because of the nature of this change you may find you can remote assist your father one day but not the next. The situation is easily rectified with a simple phonecall to your father. He can tell you what IP address he's using by launching his browser and clicking this link:
    http://myipaddress.com
    He gives you his new IP address and you should be able to make a successful connection again.
    Be aware IP addresses handed out by ISPs are known as routable. IP addresses handed out by Firewalls/Routers/Gateway devices such as Apple's Airport Express Base Station etc are not routable. Assuming you've not changed anything in the devices they will always be one of these three ranges: 192.168.1.x; 10.x.x.x and 172.16.16.x. You don't use any of these last three group of addresses to make the connection over the public external (internet) network but you do use them when on the same private internal network.

Maybe you are looking for

  • Problem with customer/vendor clearing

    Hi all, We are launching the payment proposal for this month and we have found one issue related to the clearing customer/vendor. The vendor invoices are filled in the Part. Bank Type with 1 or 2u2026, but the customer invoices has this field as blan

  • Problems with language

    Hello! There is a problem Safary, many can not fill out forms in Russian, including leave comments, in Russia, many sites where the login and password can be filled only in Russian, but the system does not switch from English to Russian.The same prob

  • How to set width of a prompt in OBIEE 11g?

    Hi, We have recently upgraded to OBIEE 11G. In 10g all our prompts were fine. After upgrade, the prompts look distracted. All the prompts are Choice Lists. The width of the prompts is varying depending on the width of the values that are coming from

  • Seeburger workbench

    Hi, I am struggling in seeburger workbenceh. here i used message splitter and creating new Data Management Here i am using Sender as 12345 and mapping name is - when i comes into Sender-Party --(Here i gave party name which a iwas used in PI ) Sender

  • CollabraSuite. Is the evaluation license from BEA valid?

    Hi, I downloaded CollabraSuite 5.1 and the evaluation license from BEA website. I followed the installation guide (http://edocs.bea.com/collabrasuite/docs51/pdf/InstallGuide.pdf) to install CollabraSuite, create a portal and add the Collabra portlets