Sunday, February 11, 2018

VRF-Aware IKEv2 DMVPN (+ iVRF/fVRF + EIGRP)




R1
……………………………………………………………………………………………………………………………………………

vrf definition dmvpn
 !
 address-family ipv4
 exit-address-family
!
crypto ikev2 proposal prop-01
 encryption aes-cbc-128 aes-cbc-192
 integrity sha256 sha512
 group 14 15
!
crypto ikev2 policy pol-01
 proposal prop-01
!
crypto ikev2 keyring dmvpn-key
 peer ALL
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
!
crypto ikev2 profile prof-01
 match identity remote address 0.0.0.0
 authentication local pre-share
 authentication remote pre-share
 keyring local dmvpn-key
!
crypto ipsec transform-set tset esp-aes 192 esp-sha512-hmac
 mode tunnel
!
crypto ipsec profile dmvpn
 set transform-set tset
 set ikev2-profile prof-01
!
interface Loopback0
 vrf forwarding dmvpn
 ip address 10.150.10.1 255.255.255.255
!
interface Tunnel0
 vrf forwarding dmvpn          !!! …. This is to define iVRF
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip split-horizon eigrp 102
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile dmvpn
!
interface GigabitEthernet0/0
 ip address 10.150.1.1 255.255.255.0
!
router eigrp 1
 !
 address-family ipv4 vrf dmvpn autonomous-system 102
  network 10.150.10.1 0.0.0.0
  network 192.168.1.1 0.0.0.0
 exit-address-family
!
ip route 0.0.0.0 0.0.0.0 10.150.1.2

R1# sh cry ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.150.1.1/500        10.150.5.1/500        none/dmvpn           READY
      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/5847 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         10.150.1.1/500        10.150.6.1/500        none/dmvpn           READY
      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4183 sec

 IPv6 Crypto IKEv2  SA


R5
……………………………………………………………………………………………………………………………………………

vrf definition dmvpn
 !
 address-family ipv4
 exit-address-family
!
crypto ikev2 proposal prop-01
 encryption aes-cbc-128 aes-cbc-192
 integrity sha256 sha512
 group 14 15
!
crypto ikev2 policy pol-01
 match fvrf dmvpn     !!! ….. Because tunnel is invoked using VRF, this policy should be assigned to same Front VRF
 match address local 10.150.5.1     !!! ….. This source interface should be defined as its in VRF Routing Table instead of Global Routing Table
 proposal prop-01
!
crypto ikev2 keyring dmvpn-key
 peer R1
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
!
crypto ikev2 profile prof-01
 match fvrf dmvpn         !!! ….. Because tunnel is invoked using VRF, this profile should be assigned to same Front VRF
 match identity remote address 0.0.0.0
 authentication local pre-share
 authentication remote pre-share
 keyring local dmvpn-key
!
crypto ipsec transform-set tset esp-aes 192 esp-sha512-hmac
 mode tunnel
!
crypto ipsec profile dmvpn
 set transform-set tset
 set ikev2-profile prof-01
!
interface Loopback0
 vrf forwarding dmvpn
 ip address 10.150.50.1 255.255.255.255
!
interface Tunnel0
 vrf forwarding dmvpn    !!! …. Assign iVRF same as fVRF
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 ip nhrp map 192.168.1.1 10.150.1.1
 ip nhrp map multicast 10.150.1.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.1.1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel vrf dmvpn    !!! … Invoke the tunnel using Front VRF used on the source interface
 tunnel protection ipsec profile dmvpn
!
interface GigabitEthernet0/0
 vrf forwarding dmvpn
 ip address 10.150.5.1 255.255.255.0
!
router eigrp 1
 !
 address-family ipv4 vrf dmvpn autonomous-system 102
  network 10.150.50.1 0.0.0.0
  network 192.168.1.2 0.0.0.0
 exit-address-family
!
ip route vrf dmvpn 0.0.0.0 0.0.0.0 10.150.5.2

R5#sh cry ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         10.150.5.1/500        10.150.6.1/500        dmvpn/dmvpn          READY
      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2475 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.150.5.1/500        10.150.1.1/500        dmvpn/dmvpn          READY
      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/6088 sec

 IPv6 Crypto IKEv2  SA

R6 (This is same as R5 except that F-VRF is different from I-VRF)
……………………………………………………………………………………………………………………………………………

vrf definition fvrf-dmvpn
 !
 address-family ipv4
 exit-address-family
!
vrf definition ivrf-dmvpn
 !
 address-family ipv4
 exit-address-family
!
crypto ikev2 proposal prop-01
 encryption aes-cbc-128 aes-cbc-192
 integrity sha256 sha512
 group 14 15
!
crypto ikev2 policy pol-01
 match fvrf fvrf-dmvpn
 proposal prop-01
!
crypto ikev2 keyring dmvpn-key
 peer R1
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
!
crypto ikev2 profile prof-01
 match fvrf fvrf-dmvpn
 match identity remote address 0.0.0.0
 identity local address 10.150.6.1
 authentication local pre-share
 authentication remote pre-share
 keyring local dmvpn-key
!
crypto ipsec transform-set tset esp-aes 192 esp-sha512-hmac
 mode tunnel
!
crypto ipsec profile dmvpn
 set transform-set tset
 set ikev2-profile prof-01
!
interface Loopback0
 vrf forwarding ivrf-dmvpn
 ip address 10.150.60.1 255.255.255.255
!
interface Tunnel0
 vrf forwarding ivrf-dmvpn
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip nhrp map 192.168.1.1 10.150.1.1
 ip nhrp map multicast 10.150.1.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.1.1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel vrf fvrf-dmvpn
 tunnel protection ipsec profile dmvpn
!
interface GigabitEthernet0/0
 vrf forwarding fvrf-dmvpn
 ip address 10.150.6.1 255.255.255.0
!
router eigrp 1
 !
 address-family ipv4 vrf ivrf-dmvpn autonomous-system 102
  network 10.150.60.1 0.0.0.0
  network 192.168.1.3 0.0.0.0
 exit-address-family
!
ip route vrf fvrf-dmvpn 0.0.0.0 0.0.0.0 10.150.6.2

R6# sh cry ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.150.6.1/500        10.150.1.1/500        fvrf-dmvpn/ivrf-dm   READY
      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4924 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         10.150.6.1/500        10.150.5.1/500        fvrf-dmvpn/ivrf-dm   READY
      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2973 sec

 IPv6 Crypto IKEv2  SA

at
Labels:

1 comment:

  1. quaniaccarino3:15 PM, March 04, 2022

    Casino Games | DrmCMD
    Dr.MCD is your 충청북도 출장안마 premier 김포 출장샵 source of quality gambling data for the industry, including news, reviews and more. 안양 출장마사지 Our mission is to help Nov 고양 출장마사지 25, 2021 · 구미 출장안마 Uploaded by Casino Games

    ReplyDelete

Subscribe to: Post Comments (Atom)

DNS Performance Troubleshooting

When you are troubleshooting internet performance, there are different parts of the connection should be verified:   ·         DNS Pe...

  • PxGrid Part # 3 - Troubleshooting FMC-ISE Identity Sync
    From FMC CLI, verify ISE integration status using the command   root@vFPMC:/etc/rc.d# cat /var/sf/run/adi-health $status = {      'ADI&#...
  • CUCM SIP Early Offer
    By default CUCM uses SIP Delayed Offer. In order to enable Early Offer, use one of the following methods: MTP is required ...
  • SIP Call Transfer
    In SIP IOS call transfer is achieved using REFER method. Similar to H450.2, a REFER message will be sent from transferor to transferee t...