Last week, I presented a scenario in which Virtual Routing and Forwarding (VRF) was used to partition a single router into eight virtual routers. I showed you how to configure the VRFs, and in this post, I will go through the configuration of the IPsec portion of that same scenario in which I had to duplicate eight test labs with identical topology and addressing. Once each test pod was duplicated, I ran into another issue. One requirement for this entire scenario to work was to have the ASA in a pod establish a VPN connection with the Cisco router. This is where the VRF-aware IPsec comes in. I needed a way to have the exact same isakmp policies, same pre-shared keys, same crypto ACL, and so on for each VRF. The configuration is actually easier than you may think. This example configuration may help you with a similar situation, which calls for this kind of setup.
Start by creating the ISAKMP policy:
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
In the configuration, you can use common elements between VRFs, so we only need one ISAKMP policy. Next, create a crypto ACL and an IPsec transform set.
ip access-list extended VPN
permit ip 10.0.100.0 0.0.0.255 10.0.1.0 0.0.0.255
crypto ipsec transform-set VPN-TRANS esp-aes esp-sha-hmac.
Now for the pre-shared key. In this case I've used a keyring for the preshared keys so that I can tie it to the VRF.
crypto keyring POD1keys vrf POD1
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD2keys vrf POD2
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD3keys vrf POD3
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD4keys vrf POD4
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD5keys vrf POD5
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD6keys vrf POD6
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD7keys vrf POD7
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD8keys vrf POD7
pre-shared-key address 192.168.1.2 key cisco123
!
Next create the crypto-maps.
!
crypto map pod1 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod2 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod3 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod4 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod5 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod6 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod7 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
set isakmp-profile pod7
match address VPN
!
crypto map pod8 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
Once the crypto-maps are put together they can be applied to the interfaces.
interface FastEthernet0/0.1
crypto map pod1
!
interface FastEthernet0/0.2
crypto map pod2
!
interface FastEthernet0/0.3
crypto map pod3
!
interface FastEthernet0/0.4
crypto map pod4
!
interface FastEthernet0/0.5
crypto map pod5
!
interface FastEthernet0/0.6
crypto map pod6
!
interface FastEthernet0/0.7
crypto map pod7
!
interface FastEthernet0/0.8
crypto map pod8
!Once applied, we can test. In Figure A , I am pinging an endpoint that requires encryption.
Going back to the router, we can see that the ISAKMP SA is active for the POD7 vrf, which is what we're testing here.
BBR#sh crypto isa sa vrf POD7
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.1 192.168.1.2 QM_IDLE 1020 ACTIVE
Looking at the IPsec SA, you see the protected VRF is POD7. Additional statistics are there, but we won't elaborate in this post.
BBR#sh crypto ipsec sa vrf POD7
interface: FastEthernet0/0.7
Crypto map tag: pod7, local addr 192.168.1.1
protected vrf: POD7
local ident (addr/mask/prot/port): (10.0.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.7
current outbound spi: 0xE2C2B7A6(3804411814)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x347E881(55044225)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2023, flow_id: NETGX:23, sibling_flags 80000046, crypto map: pod7
sa timing: remaining key lifetime (k/sec): (4514155/3388)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE2C2B7A6(3804411814)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2024, flow_id: NETGX:24, sibling_flags 80000046, crypto map: pod7
sa timing: remaining key lifetime (k/sec): (4514155/3388)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
BBR#
That's it for VRF aware Site-to-Site IPsec VPN.
About Brandon Carroll
Brandon Carroll has been in the industry since the late 90s specializing in data networking and network security in the enterprise and data center. Brandon holds the CCIE in security and is a published author in network security.
Full Bio
Brandon Carroll has been in the industry since the late 90s specializing in data networking and network security in the enterprise and data center. Brandon holds the CCIE in security and is a published author in network security.
