Configure VRF-aware Site-to-Site IPsec VPN on a Cisco router

Last week, I presented a scenario in which Virtual Routing and Forwarding (VRF) was used to partition a single router into eight virtual routers. I showed you how to configure the VRFs, and in this post, I will go through the configuration of the IPsec portion of that same scenario in which I had to duplicate eight test labs with identical topology and addressing. Once each test pod was duplicated, I ran into another issue. One requirement for this entire scenario to work was to have the ASA in a pod establish a VPN connection with the Cisco router. This is where the VRF-aware IPsec comes in. I needed a way to have the exact same isakmp policies, same pre-shared keys, same crypto ACL, and so on for each VRF. The configuration is actually easier than you may think. This example configuration may help you with a similar situation, which calls for this kind of setup.

Start by creating the ISAKMP policy:

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

!

In the configuration, you can use common elements between VRFs, so we only need one ISAKMP policy. Next, create a crypto ACL and an IPsec transform set.

ip access-list extended VPN

 permit ip 10.0.100.0 0.0.0.255 10.0.1.0 0.0.0.255

crypto ipsec transform-set VPN-TRANS esp-aes esp-sha-hmac.

Now for the pre-shared key. In this case I've used a keyring for the preshared keys so that I can tie it to the VRF.

crypto keyring POD1keys vrf POD1

  pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD2keys vrf POD2

  pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD3keys vrf POD3

  pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD4keys vrf POD4

  pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD5keys vrf POD5

  pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD6keys vrf POD6

  pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD7keys vrf POD7

  pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD8keys vrf POD7

  pre-shared-key address 192.168.1.2 key cisco123

!

Next create the crypto-maps.

!

crypto map pod1 10 ipsec-isakmp

 set peer 192.168.1.2

 set transform-set VPN-TRANS

 set pfs group2

 match address VPN

!

crypto map pod2 10 ipsec-isakmp

 set peer 192.168.1.2

 set transform-set VPN-TRANS

 set pfs group2

 match address VPN

!

crypto map pod3 10 ipsec-isakmp

 set peer 192.168.1.2

 set transform-set VPN-TRANS

 set pfs group2

 match address VPN

!

crypto map pod4 10 ipsec-isakmp

 set peer 192.168.1.2

 set transform-set VPN-TRANS

 set pfs group2

 match address VPN

!

crypto map pod5 10 ipsec-isakmp

 set peer 192.168.1.2

 set transform-set VPN-TRANS

 set pfs group2

 match address VPN

!

crypto map pod6 10 ipsec-isakmp

 set peer 192.168.1.2

 set transform-set VPN-TRANS

 set pfs group2

 match address VPN

!

crypto map pod7 10 ipsec-isakmp

 set peer 192.168.1.2

 set transform-set VPN-TRANS

 set pfs group2

 set isakmp-profile pod7

 match address VPN

!

crypto map pod8 10 ipsec-isakmp

 set peer 192.168.1.2

 set transform-set VPN-TRANS

 set pfs group2

 match address VPN

!

Once the crypto-maps are put together they can be applied to the interfaces.

interface FastEthernet0/0.1

crypto map pod1

!

interface FastEthernet0/0.2

crypto map pod2

!

interface FastEthernet0/0.3

crypto map pod3

!

interface FastEthernet0/0.4

crypto map pod4

!

interface FastEthernet0/0.5

crypto map pod5

!

interface FastEthernet0/0.6

crypto map pod6

!

interface FastEthernet0/0.7

crypto map pod7

!

interface FastEthernet0/0.8

crypto map pod8

!

Once applied, we can test. In Figure A , I am pinging an endpoint that requires encryption.

Going back to the router, we can see that the ISAKMP SA is active for the POD7 vrf, which is what we're testing here.

BBR#sh crypto isa sa vrf POD7

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.1.1     192.168.1.2     QM_IDLE           1020 ACTIVE

Looking at the IPsec SA, you see the protected VRF is POD7. Additional statistics are there, but we won't elaborate in this post.

BBR#sh crypto ipsec sa vrf POD7

interface: FastEthernet0/0.7

    Crypto map tag: pod7, local addr 192.168.1.1

   protected vrf: POD7

   local  ident (addr/mask/prot/port): (10.0.100.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

   current_peer 192.168.1.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.7

     current outbound spi: 0xE2C2B7A6(3804411814)

     PFS (Y/N): Y, DH group: group2

     inbound esp sas:

      spi: 0x347E881(55044225)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2023, flow_id: NETGX:23, sibling_flags 80000046, crypto map: pod7

        sa timing: remaining key lifetime (k/sec): (4514155/3388)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xE2C2B7A6(3804411814)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2024, flow_id: NETGX:24, sibling_flags 80000046, crypto map: pod7

        sa timing: remaining key lifetime (k/sec): (4514155/3388)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

BBR#

That's it for VRF aware Site-to-Site IPsec VPN.