VRF Aware Ipsec and HSRP

VRF aware IPSec

Topology:

Version:

IOS (tm) 7200 Software (C7200-JK9S-M), Version 12.2(15)T, MAINTENANCE INTERIM SOFTWARE

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Fri 28-Feb-03 12:05 by ccai

Image text-base: 0x60008954, data-base: 0x62122000

ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2)

BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.1(8a)E, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

IPSEC-1 uptime is 18 hours, 52 minutes

System returned to ROM by reload at 18:56:03 UTC Mon Mar 3 2003

System image file is "disk0:c7200-jk9s-mz.122-14.6.T2"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

.

cisco 7206VXR (NPE400) processor (revision A) with 114688K/16384K bytes of memory.

Processor board ID 28343207

R7000 CPU at 350Mhz, Implementation 39, Rev 3.3, 256KB L2, 4096KB L3 Cache

6 slot VXR midplane, Version 2.6

Last reset from power-on

Bridging software.

X.25 software, Version 3.0.0.

SuperLAT software (copyright 1990 by Meridian Technology Corp).

TN3270 Emulation software.

2 FastEthernet/IEEE 802.3 interface(s)

1 Integrated service adapter(s)

125K bytes of non-volatile configuration memory.

47040K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).

8192K bytes of Flash internal SIMM (Sector size 256K).

Configuration register is 0x2102

Sample Configuration:

crypto isakmp profile vpn1-static

vrf vpn1

keyring vpn1

match identity address 1.1.1.1 255.255.255.255

crypto isakmp profile vpn2-static

vrf vpn2

keyring vpn2

match identity address 4.1.1.1 255.255.255.255

!

<snip>

!

crypto map vpn 1 ipsec-isakmp

set peer 1.1.1.1

set transform-set isaTransform

set isakmp-profile vpn1-static

match address vpn1acl

reverse-route

crypto map vpn 2 ipsec-isakmp

set peer 4.1.1.1

set transform-set isaTransform

set isakmp-profile vpn2-static

match address vpn2acl

reverse-route

!

<snip>

!

ip access-list extended vpn1acl

permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended vpn2acl

permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Routing Table:

There are no IKE/IPSec SAs:

IPSEC-1#sh cry isa sa

f_vrf/i_vrf dst src state conn-id slot

The routes can be seen in vpn1 and vpn2 but NOT in global:

Routing Table: vpn1

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets

B 10.1.1.0 [200/0] via 20.20.20.2, 01:32:51

S 192.168.1.0/24 [1/0] via 1.1.1.1

Routing Table: vpn2

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets

B 10.1.1.0 [200/0] via 20.20.20.2, 01:54:35

S 192.168.1.0/24 [1/0] via 4.1.1.1

IPSEC-1#sh ip rou

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 3.3.3.100 to network 0.0.0.0

3.0.0.0/24 is subnetted, 1 subnets

C 3.3.3.0 is directly connected, FastEthernet0/0

20.0.0.0/32 is subnetted, 2 subnets

C 20.20.20.1 is directly connected, Loopback0

O 20.20.20.2 [110/3] via 6.1.1.2, 01:51:45, FastEthernet1/0

6.0.0.0/24 is subnetted, 1 subnets

C 6.1.1.0 is directly connected, FastEthernet1/0

7.0.0.0/24 is subnetted, 1 subnets

O 7.1.1.0 [110/2] via 6.1.1.2, 01:51:45, FastEthernet1/0

S* 0.0.0.0/0 [1/0] via 3.3.3.100

Client Tunnels:

Configuration:

crypto isakmp client configuration group vpn1group

key cisco123

pool vpn1

acl group2

!

crypto isakmp client configuration group vpn2group

key cisco456

pool vpn2

acl group2

!

crypto isakmp profile vpn1-ra

vrf vpn1

match identity group vpn1group

client authentication list locallist

isakmp authorization list locallist

client configuration address respond

accounting acclist

crypto isakmp profile vpn2-ra

vrf vpn2

match identity group vpn2group

client authentication list locallist

isakmp authorization list locallist

client configuration address respond

accounting acclist

!

<snip>

!

crypto dynamic-map dyna1 1

set transform-set isaTransform

set isakmp-profile vpn1-ra

reverse-route

crypto dynamic-map dyna1 2

set transform-set isaTransform

set isakmp-profile vpn2-ra

reverse-route

!

Routing Table:

IPSEC-1#sh cry isa sa

f_vrf/i_vrf dst src state conn-id slot

/vpn2 3.3.3.3 100.1.1.26 QM_IDLE 3 0

/vpn1 3.3.3.3 100.1.1.27 QM_IDLE 5 0

Let look at the IP addresses assigned to the clients:

IPSEC-1#sh cry isa peer

Peer: 100.1.1.26 Port: 500, IKE ref: 1 IPSec ref: 2

flags:

last_locker: 0x61FA08F8, last_last_locker: 0x61FA08F8

last_unlocker: 0x0, last_last_unlocker: 0x0

Configuration:

Configured Address: 172.20.1.2, State: in use, Attributes: RESPOND

XAUTH: user unknown FLAGS: (Need xauth on next phase 1) (xauth done)

<snip>

Peer: 100.1.1.27 Port: 500, IKE ref: 1 IPSec ref: 2

flags:

last_locker: 0x61FA08F8, last_last_locker: 0x61FA08F8

last_unlocker: 0x61F7D900, last_last_unlocker: 0x61F7D900

Configuration:

Configured Address: 172.20.1.2, State: in use, Attributes: RESPOND

XAUTH: user unknown FLAGS: (Need xauth on next phase 1) (xauth done)

<snip>

Routing Table: vpn1

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

172.20.0.0/32 is subnetted, 1 subnets

S 172.20.1.2 [1/0] via 100.1.1.27

10.0.0.0/24 is subnetted, 1 subnets

B 10.1.1.0 [200/0] via 20.20.20.2, 02:36:39

S 192.168.1.0/24 [1/0] via 1.1.1.1

S 192.168.2.0/24 [1/0] via 2.2.2.2

IPSEC-1#sh ip rou vrf vpn2

Routing Table: vpn2

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

172.20.0.0/32 is subnetted, 1 subnets

S 172.20.1.2 [1/0] via 100.1.1.26

10.0.0.0/24 is subnetted, 1 subnets

B 10.1.1.0 [200/0] via 20.20.20.2, 02:36:46

S 192.168.1.0/24 [1/0] via 4.1.1.1

As soon as the clients disconnect, the routes will go away.

APPENDIX A: Complete IPSec Aggregator Configuration

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname IPSEC-1

!

boot system disk0:c7200-jk9s-mz.122-14.6.T2

logging queue-limit 100

enable password lab

!

username cisco password 0 cisco123

aaa new-model

!

!

aaa group server radius TOMCAT

server 100.1.1.2 auth-port 1645 acct-port 1646

!

aaa authentication login locallist local

aaa authorization network locallist local

aaa accounting network acclist start-stop group TOMCAT

aaa session-id common

ip subnet-zero

!

!

no ip domain lookup

!

ip vrf vpn1

rd 100:1

route-target export 100:1

route-target import 101:1

!

ip vrf vpn2

rd 100:2

route-target export 100:2

route-target import 101:2

!

ip cef

mpls ldp logging neighbor-changes

tag-switching ip default-route

tag-switching tdp router-id Loopback0

!

!

crypto keyring vpn1

pre-shared-key address 1.1.1.1 key nsite1

crypto keyring vpn2

pre-shared-key address 4.1.1.1 key nsite3

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 45 5

crypto isakmp nat keepalive 120

crypto isakmp xauth timeout 90

!

crypto isakmp client configuration group vpn1group

key cisco123

pool vpn1

acl group2

!

crypto isakmp client configuration group vpn2group

key cisco456

pool vpn2

acl group2

crypto isakmp profile vpn1-ra

vrf vpn1

match identity group vpn1group

client authentication list locallist

isakmp authorization list locallist

client configuration address respond

accounting acclist

crypto isakmp profile vpn2-ra

vrf vpn2

match identity group vpn2group

client authentication list locallist

isakmp authorization list locallist

client configuration address respond

accounting acclist

crypto isakmp profile vpn1-static

vrf vpn1

keyring vpn1

match identity address 1.1.1.1 255.255.255.255

crypto isakmp profile vpn2-static

vrf vpn2

keyring vpn2

match identity address 4.1.1.1 255.255.255.255

!

!

crypto ipsec transform-set isaTransform esp-3des esp-sha-hmac

!

crypto dynamic-map dyna1 1

set transform-set isaTransform

set isakmp-profile vpn1-ra

reverse-route

crypto dynamic-map dyna1 2

set transform-set isaTransform

set isakmp-profile vpn2-ra

reverse-route

!

!

crypto map vpn 1 ipsec-isakmp

set peer 1.1.1.1

set transform-set isaTransform

set isakmp-profile vpn1-static

match address vpn1acl

reverse-route

crypto map vpn 2 ipsec-isakmp

set peer 4.1.1.1

set transform-set isaTransform

set isakmp-profile vpn2-static

match address vpn2acl

reverse-route

crypto map vpn 10 ipsec-isakmp dynamic dyna1

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

controller ISA 4/1

!

interface Loopback0

ip address 20.20.20.1 255.255.255.255

!

interface FastEthernet0/0

ip address 3.3.3.3 255.255.255.0

duplex full

crypto map vpn

!

interface FastEthernet1/0

ip address 6.1.1.1 255.255.255.0

duplex full

tag-switching ip

!

router ospf 10

log-adjacency-changes

network 6.1.1.0 0.0.0.255 area 0

network 20.20.20.1 0.0.0.0 area 0

!

router bgp 500

no synchronization

bgp log-neighbor-changes

neighbor 20.20.20.2 remote-as 500

neighbor 20.20.20.2 update-source Loopback0

no auto-summary

!

address-family vpnv4

neighbor 20.20.20.2 activate

neighbor 20.20.20.2 send-community extended

no auto-summary

exit-address-family

!

address-family ipv4 vrf vpn2

redistribute static

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf vpn1

redistribute static

no auto-summary

no synchronization

exit-address-family

!

ip local pool vpn2 172.20.1.1 172.20.1.254 group vpn2

ip local pool vpn1 172.20.1.1 172.20.1.254 group vpn1

ip classless

ip route 0.0.0.0 0.0.0.0 3.3.3.100

no ip http server

no ip http secure-server

!

ip access-list extended group2

permit ip 10.0.0.0 0.255.255.255 any

ip access-list extended vpn1acl

permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended vpn2acl

permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

ip radius source-interface FastEthernet0/0

!

access-list 111 permit ip 10.0.0.0 0.255.255.255 172.20.1.0 0.0.0.255

!

radius-server host 100.1.1.2 auth-port 1645 acct-port 1646 key cisco123

radius-server authorization permit missing Service-Type

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

gatekeeper

shutdown

!

!

line con 0

exec-timeout 0 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password lab

!

!

end

1