Networking

Configure VRF-aware Site-to-Site IPsec VPN on a Cisco router

Brandon Carroll takes you through an example configuration of creating a site-to-site IPsec VPN on a Cisco router that also uses Virtual Routing and Forwarding to duplicate routing tables.

Last week, I presented a scenario in which Virtual Routing and Forwarding (VRF) was used to partition a single router into eight virtual routers. I showed you how to configure the VRFs, and in this post, I will go through the configuration of the IPsec portion of that same scenario in which I had to duplicate eight test labs with identical topology and addressing. Once each test pod was duplicated, I ran into another issue. One requirement for this entire scenario to work was to have the ASA in a pod establish a VPN connection with the Cisco router. This is where the VRF-aware IPsec comes in. I needed a way to have the exact same isakmp policies, same pre-shared keys, same crypto ACL, and so on for each VRF. The configuration is actually easier than you may think. This example configuration may help you with a similar situation, which calls for this kind of setup.

Start by creating the ISAKMP policy:

!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!

In the configuration, you can use common elements between VRFs, so we only need one ISAKMP policy. Next, create a crypto ACL and an IPsec transform set.

ip access-list extended VPN
 permit ip 10.0.100.0 0.0.0.255 10.0.1.0 0.0.0.255
crypto ipsec transform-set VPN-TRANS esp-aes esp-sha-hmac.

Now for the pre-shared key. In this case I've used a keyring for the preshared keys so that I can tie it to the VRF.

crypto keyring POD1keys vrf POD1
  pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD2keys vrf POD2
  pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD3keys vrf POD3
  pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD4keys vrf POD4
  pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD5keys vrf POD5
  pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD6keys vrf POD6
  pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD7keys vrf POD7
  pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD8keys vrf POD7
  pre-shared-key address 192.168.1.2 key cisco123
!

Next create the crypto-maps.

!
crypto map pod1 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set VPN-TRANS
 set pfs group2
 match address VPN
!
crypto map pod2 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set VPN-TRANS
 set pfs group2
 match address VPN
!
crypto map pod3 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set VPN-TRANS
 set pfs group2
 match address VPN
!
crypto map pod4 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set VPN-TRANS
 set pfs group2
 match address VPN
!
crypto map pod5 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set VPN-TRANS
 set pfs group2
 match address VPN
!
crypto map pod6 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set VPN-TRANS
 set pfs group2
 match address VPN
!
crypto map pod7 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set VPN-TRANS
 set pfs group2
 set isakmp-profile pod7
 match address VPN
!
crypto map pod8 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set VPN-TRANS
 set pfs group2
 match address VPN
!

Once the crypto-maps are put together they can be applied to the interfaces.

interface FastEthernet0/0.1
crypto map pod1
!
interface FastEthernet0/0.2
crypto map pod2
!
interface FastEthernet0/0.3
crypto map pod3
!
interface FastEthernet0/0.4
crypto map pod4
!
interface FastEthernet0/0.5
crypto map pod5
!
interface FastEthernet0/0.6
crypto map pod6
!
interface FastEthernet0/0.7
crypto map pod7
!
interface FastEthernet0/0.8
crypto map pod8
!
Once applied, we can test. In Figure A , I am pinging an endpoint that requires encryption.

Going back to the router, we can see that the ISAKMP SA is active for the POD7 vrf, which is what we're testing here.

BBR#sh crypto isa sa vrf POD7
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.1.1     192.168.1.2     QM_IDLE           1020 ACTIVE

Looking at the IPsec SA, you see the protected VRF is POD7. Additional statistics are there, but we won't elaborate in this post.

BBR#sh crypto ipsec sa vrf POD7
interface: FastEthernet0/0.7
    Crypto map tag: pod7, local addr 192.168.1.1
   protected vrf: POD7
   local  ident (addr/mask/prot/port): (10.0.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
   current_peer 192.168.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.7
     current outbound spi: 0xE2C2B7A6(3804411814)
     PFS (Y/N): Y, DH group: group2
     inbound esp sas:
      spi: 0x347E881(55044225)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2023, flow_id: NETGX:23, sibling_flags 80000046, crypto map: pod7
        sa timing: remaining key lifetime (k/sec): (4514155/3388)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xE2C2B7A6(3804411814)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2024, flow_id: NETGX:24, sibling_flags 80000046, crypto map: pod7
        sa timing: remaining key lifetime (k/sec): (4514155/3388)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
BBR#

That's it for VRF aware Site-to-Site IPsec VPN.

About

Brandon Carroll, CCIE #23837, is an IT Director, Blogger, Podcaster, and Mac Enthusiast. Brandon has nearly 15 years in the networking industry consulting for large and small enterprise and service provider networks.

0 comments