Jade.WTF

Cisco site-to-site VPN with outside VRF

Sunday, November 16, 2014

TL;DR: Outside interface is a VRF, inside on global, must Specify VRF on crypto keychain.

I recently set up a IPSec VPN between two Cisco routers where the Internet-facing interface was in a VRF and the tunnel interface was in not in a VRF.

network diagram showing two routers, each with two VRFs with tunnel between router A & B for VRF A, and also VRF B

The VTI was configured in the usual way:

interface Tunnel0
 description VPN: site2 via provider A
 ip address 192.168.1.1 255.255.255.254
 ip mtu 1438
 keepalive 5 3
 tunnel source 192.0.2.1
 tunnel mode ipsec ipv4
 tunnel destination 192.0.2.2
 tunnel vrf Outside-A
 tunnel protection ipsec profile vpn-to-site2-via-provider-a
!

With the usual crypto configuration:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key SecretKey address 192.0.2.2
crypto ipsec transform-set vpn-peer esp-aes esp-sha-hmac
crypto ipsec profile vpn-to-site2-via-provider-a
 set transform-set vpn-peer

but the tunnel wouldn’t come up.

“debug crypto isakmp” showed a error to the effect that a preshared key wasn’t configured or couldn’t be found for the peer. This was puzzling because there was clearly a preshared key defined.

There weren’t any messages in the debug logs about incoming connections or policy mismatches so I assumed that the problem was occurring before the router tried to communicate with its peer or it wasn’t seeing traffic from the peer.

From the documentation I found it seemed like the “tunnel vrf Outside-A” statement in the VTI was all that was necessary for IOS to know that the outside was in a VRF (the tunnel endpoint is in a VRF so the protection profile must be on the VRF as well). This turned out to not be the case. The vrf statement on the VTI is just for the tunnel. You need to specify the VRF in the crypto keyring definition otherwise the router isn’t looking for VPN traffic in the VRF.

I changed the crypto configuration to use a keyring and specified the outside vrf on the keyring definition:

crypto keyring vpn-peer vrf Outside-A
  pre-shared-key address 192.0.2.2 key SecretKey
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp profile vpn-to-site2-via-provider-a
   keyring vpn-peer
   match identity address 192.0.2.2 255.255.255.255
   keepalive 10 retry 5
!
!
crypto ipsec transform-set vpn-peer esp-aes esp-sha-hmac
!
crypto ipsec profile vpn-to-site2-via-provider-a
 set transform-set vpn-peer

and now it all works. Of course now that it’s working I find a Cisco doc on New Version Site-to-Site Configuration that shows this.

Want to keep reading? / go foward / go back