Configuring VPNs on the IPSec VPN SPA

Table Of Contents

Configuring VPNs on the IPSec VPN SPA

Overview of Basic IPSec and IKE Configuration Concepts

Information About IPSec Configuration

Information About IKE Configuration

Configuring VPNs with the IPSec VPN SPA

Crypto-Connect Mode

VRF Mode

Configuring Ports in Crypto-Connect Mode

Understanding Port Types in Crypto-Connect Mode

Crypto-Connect Mode Configuration Guidelines and Restrictions

Configuring the IPSec VPN SPA Inside Port and Outside Port

Configuring an Access Port

Configuring a Routed Port

Configuring a Trunk Port

Configuring IPSec VPN SPA Connections to WAN Interfaces

Displaying the VPN Running State

Configuring VPNs in VRF Mode

Understanding VPN Configuration in VRF Mode

VRF Mode Configuration Guidelines and Restrictions

Configuring VPNs in VRF Mode without Tunnel Protection

Configuring VPNs in VRF Mode with Tunnel Protection

Configuring VRF Mode with Chassis-to-Chassis Stateless Failover

Configuring GRE Tunneling

Configuring GRE Tunneling in Crypto-Connect Mode

Configuring GRE Tunneling in VRF Mode

Configuring the GRE Takeover Criteria

Configuring IP Multicast over a GRE Tunnel

Configuring an IPSec Virtual Tunnel Interface

IPSec Virtual Tunnel Interface Configuration Guidelines and Restrictions

Configuring an IPSec Static Tunnel

Verifying the IPSec Virtual Tunnel Interface Configuration

Configuring VPNs in Crypto Connect Alternative Mode

Configuration Examples

Access Port in Crypto-Connect Mode Configuration Example

Routed Port in Crypto-Connect Mode Configuration Example

Trunk Port in Crypto-Connect Mode Configuration Example

IPSec VPN SPA Connections to WAN Interfaces Configuration Examples

GRE Tunneling in Crypto-Connect Mode Configuration Example

GRE Takeover Criteria Configuration Examples

IP Multicast over a GRE Tunnel Configuration Example

VRF Mode Configuration Examples

IPSec Virtual Tunnel Interfaces Configuration Examples


Configuring VPNs on the IPSec VPN SPA


This chapter provides information about configuring IPSec VPNs on the IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections:

Overview of Basic IPSec and IKE Configuration Concepts

Configuring VPNs with the IPSec VPN SPA

Configuring Ports in Crypto-Connect Mode

Configuring VPNs in VRF Mode

Configuring GRE Tunneling

Configuring an IPSec Virtual Tunnel Interface

Configuring VPNs in Crypto Connect Alternative Mode

Configuration Examples


Note The procedures in this chapter assume you have familiarity with security configuration concepts, such as VLANs, ISAKMP policies, preshared keys, transform sets, access control lists, and crypto maps. For more information about these and other security configuration concepts, refer to the Cisco IOS Security Configuration Guide, Release 12.2 and Cisco IOS Security Command Reference, Release 12.2.


For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications.

For more information about the commands used in this chapter, see first Chapter 37, "SIP, SSC, and SPA Commands," and then the Cisco 7600 Series Cisco IOS Command Reference, 12.2 SX publication. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information about accessing these publications, see the "Related Documentation" section on page -xliv.


Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks.


Overview of Basic IPSec and IKE Configuration Concepts

This subsection reviews some basic IPSec and IKE concepts that are used throughout the configuration of the IPSec VPN SPA, such as security associations (SAs), access lists (ACLs), crypto maps, transform sets, and IKE policies. The information presented here is introductory and should not be considered complete. For more detailed information on IPSec and IKE concepts and procedures, refer to the Cisco IOS Security Configuration Guide.

Information About IPSec Configuration

IPSec provides secure tunnels between two peers, such as two routers. More accurately, these tunnels are sets of security associations (SAs) that are established between two IPSec peers. The SAs define which protocols and algorithms should be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol (Authentication Header (AH) or Encapsulating Security Payload (ESP)). Multiple IPSec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of SAs. For example, some data streams might be authenticated only while other data streams must both be encrypted and authenticated.


Note The use of the term "tunnel" in this subsection does not refer to using IPSec in tunnel mode.


With IPSec, you define what traffic should be protected between two IPSec peers by configuring ACLs and applying these ACLs to interfaces by way of crypto maps. (The ACLs used for IPSec are used only to determine which traffic should be protected by IPSec, not which traffic should be blocked or permitted through the interface. Separate ACLs define blocking and permitting at the interface.)

If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you must create two different crypto ACLs to define the two different types of traffic. These different ACLs are then used in different crypto map entries, which specify different IPSec policies.

Crypto ACLs associated with IPSec crypto map entries have four primary functions:

Select outbound traffic to be protected by IPSec (permit = protect).

Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when initiating negotiations for IPSec security associations.

Process inbound traffic in order to filter out and discard traffic that should have been protected by IPSec.

Determine whether or not to accept requests for IPSec security associations on behalf of the requested data flows when processing IKE negotiation from the IPSec peer. Negotiation is performed only for ipsec-isakmp crypto map entries. In order to be accepted, if the peer initiates the IPSec negotiation, it must specify a data flow that is "permitted" by a crypto ACL associated with an ipsec-isakmp crypto map entry.

Crypto map entries created for IPSec combine the various parts used to set up IPSec SAs, including:

Which traffic should be protected by IPSec (per a crypto ACL)

The granularity of the flow to be protected by a set of SAs

Where IPSec-protected traffic should be sent (the name of the remote IPSec peer)

The local address to be used for the IPSec traffic

What IPSec SA should be applied to this traffic (selecting from a list of one or more transform sets)

Whether SAs are manually established or are established via IKE

Other parameters that might be necessary to define an IPSec SA

Crypto map entries are searched in order—the router attempts to match the packet to the access list specified in that entry.

Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec-protected traffic.

You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peers' IPSec SAs. (With manually established SAs, there is no negotiation with the peer, so both sides must specify the same transform set.)

Information About IKE Configuration

IKE is a key management protocol standard that is used in conjunction with the IPSec standard.

IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)

IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE is enabled by default.

You configure IKE by creating IKE policies at each peer using the crypto isakmp policy command. An IKE policy defines a combination of security parameters to be used during the IKE negotiation and mandates how the peers are authenticated.

You can create multiple IKE policies, each with a different combination of parameter values, but at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer. For each policy that you create, you assign a unique priority (1 through 10,000, with 1 being the highest priority).

If you do not configure any policies, your router uses the default policy, which is always set to the lowest priority, and which contains each parameter's default value.

There are five parameters to define in each IKE policy:

Encryption algorithm

Hash algorithm

Authentication method

Diffie-Hellman group identifier

Security association lifetime

Configuring VPNs with the IPSec VPN SPA

To configure a VPN using the IPSec VPN SPA, you have two basic options: crypto-connect mode or Virtual Routing and Forwarding (VRF) mode. In either mode, you may also configure GRE tunneling to encapsulate a wide variety of protocol packet types, including multicast packets, inside the VPN tunnel.


Note Switching between crypto-connect mode and VRF mode requires a reload.


Crypto-Connect Mode

Traditionally, VPNs are configured on the IPSec VPN SPA by attaching crypto maps to interface VLANs and then crypto-connecting a physical port to the interface VLAN. This method, known as crypto-connect mode, is similar to the method used to configure VPNs on routers running Cisco IOS software. When you configure VPNs on the IPSec VPN SPA using crypto-connect mode, you attach crypto maps to VLANs (using interface VLANs); when you configure VPNs on routers running Cisco IOS software, you configure individual interfaces.


Note With the IPSec VPN SPA, crypto maps are still attached to individual interfaces but the set of interfaces allowed is restricted to interface VLANs.


VRF Mode

The VRF-aware IPSec feature, known as VRF mode, allows you to map IPSec tunnels to VPN routing and forwarding instances (VRFs) using a single public-facing address. A VRF instance is a per-VPN routing information repository that defines the VPN membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and CEF tables is maintained for each VPN customer.

When you configure a VPN on the IPSec VPN SPA using VRF mode, the model of interface VLANs is preserved, but the crypto connect vlan command is not used. Instead, a route must be installed so that packets destined for that particular subnet in that particular VRF are directed to that interface VLAN.

When configuring a VPN using VRF mode, you have these additional tunneling options: tunnel protection (TP) using GRE, and Virtual Tunnel Interface (VTI). When configuring VTI, you can terminate tunnels in VRFs (normal VRF mode) or in the global context, using crypto connect alternative (CCA) mode.

Configuring Ports in Crypto-Connect Mode

Before beginning your crypto-connect mode port configurations, you should read the following subsections:

Understanding Port Types in Crypto-Connect Mode

Crypto-Connect Mode Configuration Guidelines and Restrictions

Then perform the procedures in the following subsections:

Configuring the IPSec VPN SPA Inside Port and Outside Port

Configuring an Access Port

Configuring a Routed Port

Configuring a Trunk Port

Configuring IPSec VPN SPA Connections to WAN Interfaces

Displaying the VPN Running State


Note The configuration procedures in this section do not provide GRE tunneling support. For information on how to configure GRE tunneling support in crypto connect mode, see the "Configuring GRE Tunneling in Crypto-Connect Mode" section.



Note The procedures in this section do not provide detailed information on configuring the following Cisco IOS features: IKE policies, preshared key entries, Cisco IOS ACLs, and crypto maps. For detailed information on configuring these features, refer to the following Cisco IOS documentation:

Cisco IOS Security Configuration Guide
, Release 12.2, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm

Cisco IOS Security Command Reference
, Release 12.2, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.ht


Understanding Port Types in Crypto-Connect Mode

To configure IPSec VPNs in crypto-connect mode, you should understand the following concepts:

Router Outside Ports and Inside Ports

IPSec VPN SPA Outside Port and Inside Port

Port VLAN and Interface VLAN

Access Ports, Trunk Ports, and Routed Ports

Router Outside Ports and Inside Ports

The Fast Ethernet or Gigabit Ethernet ports on the Cisco 7600 series router that connect to the WAN routers are referred to as router outside ports. These ports connect the LAN to the Internet or to remote sites. Cryptographic policies are applied to the router outside ports.

The Fast Ethernet or Gigabit Ethernet ports on the Cisco 7600 series router that connect to the LAN are referred to as router inside ports.

The IPSec VPN SPA sends encrypted packets to the router outside ports and decrypted packets to the Policy Feature Card (PFC) for Layer 3 forwarding to the router inside ports.

IPSec VPN SPA Outside Port and Inside Port

The IPSec VPN SPA appears to the CLI as a SPA with two Gigabit Ethernet ports. The IPSec VPN SPA has no external connectors; the Gigabit Ethernet ports connect the IPSec VPN SPA to the router backplane and Switch Fabric Module (SFM) (if installed).

One Gigabit Ethernet port handles all the traffic going to and coming from the router outside ports. This port is referred to as the IPSec VPN SPA outside port. The other Gigabit Ethernet port handles all traffic going to and coming from the LAN or router inside ports. This port is referred to as the IPSec VPN SPA inside port.

Port VLAN and Interface VLAN

Your VPN configuration can have one or more router outside ports. To handle the packets from multiple router outside ports, you must direct the packets from multiple router outside ports to the IPSec VPN SPA outside port by placing the router outside ports in a VLAN with the outside port of the IPSec VPN SPA. This VLAN is referred to as the port VLAN. The port VLAN is a Layer 2-only VLAN. You do not configure Layer 3 addresses or features on this VLAN; the packets within the port VLAN are bridged by the PFC.

Before the router can forward the packets using the correct routing table entries, the router needs to know which interface a packet was received on. For each port VLAN, you must create another VLAN so that the packets from every router outside port are presented to the router with the corresponding VLAN ID. This VLAN contains only the IPSec VPN SPA inside port and is referred to as the interface VLAN. The interface VLAN is a Layer 3-only VLAN. You configure the Layer 3 address and Layer 3 features, such as ACLs and the crypto map, to the interface VLAN.

You tie the port VLAN and the interface VLAN together using the crypto engine slot command on the interface VLAN followed by the crypto connect vlan command on the port VLAN. Figure 29-1 shows an example of the port VLAN and interface VLAN configurations.

Figure 29-1 Port VLAN and Interface VLAN Configuration Example

Port VLAN 502 and port VLAN 503 are the port VLANs that are associated with two router outside ports.

Interface VLAN 2 and interface VLAN 3 are the interface VLANs that correspond to port VLAN 502 and port VLAN 503, respectively.

You configure the IP address, ACLs, and crypto map that apply to one router outside port on interface VLAN 2. You configure the features that apply to another router outside port on interface VLAN 3.

Packets coming from the WAN through the router outside port belonging to VLAN 502 are directed by the PFC to the IPSec VPN SPA outside port. The IPSec VPN SPA decrypts the packets and changes the VLAN to interface VLAN 2 and then presents the packet to the router through the IPSec VPN SPA inside port. The PFC then routes the packet to the proper destination.

Packets going from the LAN to the outside ports are first routed by the PFC. Based on the route, the PFC routes the packets to one of the interface VLANs and directs the packet to the IPSec VPN SPA inside port. The IPSec VPN SPA applies the cryptographic policies that are configured on the corresponding interface VLAN, encrypts the packet, changes the VLAN ID to the corresponding port VLAN, and sends the packet to the router outside port through the IPSec VPN SPA outside port.

Access Ports, Trunk Ports, and Routed Ports

When you configure VPNs on the IPSec VPN SPA using crypto-connect mode, you attach crypto maps to interface VLANs. Using the crypto connect vlan command, you then attach an interface VLAN either to a Layer 2 port VLAN associated with one or more physical ports, or directly to a physical port. The physical ports can be ATM, POS, serial, or Ethernet ports.

When you crypto-connect an interface VLAN to a port VLAN that is attached to one or more Ethernet ports configured in switchport mode, the Ethernet ports can be configured as either access ports or trunk ports:

Access ports—Access ports are switch ports that have an external or VLAN Trunk Protocol (VTP) VLAN associated with them. You can associate more than one port to a defined VLAN.

Trunk ports—Trunk ports are switch ports that carry many external or VTP VLANs, on which all packets are encapsulated with an 802.1Q header.

When you crypto-connect an interface VLAN to a physical Ethernet port without defining a port VLAN, a hidden port VLAN is automatically created and associated with the port. In this configuration, the Ethernet port is a routed port:

Routed ports—By default, every Ethernet port is a routed port until it is configured as a switch port. A routed port may or may not have an IP address assigned to it, but its configuration does not include the switchport command.

Crypto-Connect Mode Configuration Guidelines and Restrictions

Follow these guidelines and restrictions to prevent IPSec VPN SPA misconfigurations when configuring VPN ports in crypto-connect mode:

Ethernet ports installed in a Cisco 7600 SIP-400 in the chassis cannot be configured as switch ports.

Be careful about removing a line in a crypto ACL because removing a line causes all crypto maps using that ACL to be removed and reattached to the IPSec VPN SPA. This action causes intermittent connectivity problems for all the security associations (SAs) derived from the crypto maps that reference that ACL.

Do not attach a crypto map set to a loopback interface. However, you can maintain an IPSec security association database independent of physical ingress and egress interfaces with the IPSec VPN SPA by entering the crypto map local-address command.

If you apply the same crypto map set to each secure interface and enter the crypto map local-address command with the interface as a loopback interface, you will have a single security association database for the set of secure interfaces. If you do not enter the crypto map local-address command, the number of IKE security associations is equal to the number of interfaces attached.

Be aware that if you configure a crypto map with an empty ACL (an ACL that is defined but has no lines) and attach the crypto map to an interface, all traffic goes out of the interface in the clear (unencrypted) state.

Do not convert existing crypto-connected port characteristics. When the characteristics of a crypto-connected access port or a routed port change (switch port to routed port or vice versa), the associated crypto connection is deleted.

Do not remove the interface VLAN or port VLAN from the VLAN database. All interface VLANs and port VLANs must be in the VLAN database. When you remove these VLANs from the VLAN database, the running traffic stops.

When you enter the crypto connect vlan command and the interface VLAN or port VLAN is not in the VLAN database, this warning message is displayed:

VLAN id 2 not found in current VLAN database. It may not function correctly unless
VLAN 2 is added to VLAN database.

When replacing a crypto map on an interface, always enter the no crypto map command before reapplying a crypto map on the interface.

Be aware that after a supervisor engine switchover, the installed SPAs reboot and come back online. During this period, the IPSec VPN SPA's established security associations (SAs) are temporarily lost and are reconstructed after the SPA comes back online. The reconstruction is through IKE (it is not instantaneous).

Configuring the IPSec VPN SPA Inside Port and Outside Port

In most cases, you do not explicitly configure the IPSec VPN SPA inside and outside ports. Cisco IOS software configures these ports automatically.

IPSec VPN SPA Inside and Outside Port Configuration Guidelines and Restrictions

When configuring the IPSec VPN SPA inside and outside ports, follow these guidelines:

Do not configure the IPSec VPN SPA outside port. Cisco IOS software configures the port automatically.

Do not configure the inside trunk port. Cisco IOS software configures the port automatically based on the crypto engine slot command.

Do not change the port characteristics of the IPSec VPN SPA inside port unless it is necessary to set the trusted state.


Note Although the default trust state of the inside port is trusted, certain global settings may cause the state to change. You may need to configure the mls qos trust command on the inside port to set the interface to the trusted state.


If you accidentally change the inside port characteristics, enter the following commands to return the port characteristics to the defaults:

Router(config-if)# switchport
Router(config-if)# no switchport access vlan
Router(config-if)# switchport trunk allowed vlan 1,1002-1005
Router(config-if)# switchport trunk encapsulation dot1q
Router(config-if)# switchport mode trunk
Router(config-if)# mtu 9216
Router(config-if)# flow control receive on
Router(config-if)# flow control send off
Router(config-if)# span portfast trunk

Do not remove a VLAN from the IPSec VPN SPA inside port. The running traffic stops when you remove an interface VLAN from the IPSec VPN SPA inside port while the crypto connection to the interface VLAN exists. The crypto connection is not removed and the crypto connect vlan command still shows up in the show running-config command display. If you enter the write memory command with this running configuration, your startup-configuration file would be misconfigured.


Note It is not possible to remove an interface VLAN from the IPSec VPN SPA inside port while the crypto connection to the interface VLAN exists. You must first remove the crypto connection.


Do not remove a VLAN from the IPSec VPN SPA outside port. The running traffic stops when you remove a port VLAN from the IPSec VPN SPA outside port while the crypto connection to the interface VLAN exists. The crypto connection is not removed and the crypto connect vlan command still shows up in the show running-config command display. Removing a VLAN from the IPSec VPN SPA outside port does not affect anything in the startup-configuration file because the port VLAN is automatically added to the IPSec VPN SPA outside port when the crypto connect vlan command is entered.

Configuring an Access Port

This section describes how to configure the IPSec VPN SPA with an access port connection to the WAN router (see Figure 29-2).

Figure 29-2 Access Port Configuration Example


Note Ethernet ports installed in a Cisco 7600 SIP-400 in the chassis cannot be configured as switch ports.



Note For detailed information on configuring IKE policies, preshared key entries, Cisco IOS ACLs, and crypto maps, refer to the following Cisco IOS documentation:

Cisco IOS Security Configuration Guide
, Release 12.2, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm

Cisco IOS Security Command Reference
, Release 12.2, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htm


To configure an access port connection to the WAN router, perform the following task beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# crypto isakmp policy priority

...

Router(config-isakmp) # exit

Defines an ISAKMP policy and enters ISAKMP policy configuration mode.

priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.

For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide.

Step 2 

Router(config)# crypto isakmp key keystring address peer-address

Configures a preshared authentication key.

keystring—Preshared key.

peer-address—IP address of the remote peer.

For details on configuring a preshared key, see the Cisco IOS Security Configuration Guide.

Step 3 

Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]]

...

Router(config-crypto-tran)# exit

Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode.

transform-set-name—Name of the transform set.

transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms.

For accepted transformx values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference.

Step 4 

Router(config)# access list access-list-number {deny | permit} ip source source-wildcard destination destination-wildcard

Defines an extended IP access list.

access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.

{deny | permit}—Denies or permits access if the conditions are met.

source—Address of the host from which the packet is being sent.

source-wildcard—Wildcard bits to be applied to the source address.

destination—Address of the host to which the packet is being sent.

destination-wildcard—Wildcard bits to be applied to the destination address.

For details on configuring an access list, see the Cisco IOS Security Configuration Guide.

Step 5 

Router(config)# crypto map map-name seq-number ipsec-isakmp

...

Router(config-crypto-map)# exit

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

map-name—Name that identifies the crypto map set.

seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority.

ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations.

For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide.

Step 6 

Router(config)# vlan inside-vlan-id

Adds the VLAN ID into the VLAN database.

inside-vlan-idVLAN identifier.

Step 7 

Router(config)# vlan outside-vlan-id

Adds the VLAN ID into the VLAN database.

outside-vlan-idVLAN identifier.

Step 8 

Router(config)# interface vlan inside-vlan-id

Enters interface configuration mode for the specified VLAN interface.

inside-vlan-idVLAN identifier.

Step 9 

Router(config-if)# description inside_interface_vlan_for_crypto_map

(Optional) Adds a comment to help identify the interface.

Step 10 

Router(config-if)# ip address address mask

Specifies the IP address and subnet mask for the interface.

addressIP address.

maskSubnet mask.

Step 11 

Router(config-if)# crypto map map-name

Applies a previously defined crypto map set to the interface.

map-name—Name that identifies the crypto map set. Enter the map-name value you created in Step 5.

Step 12 

Router(config-if)# no shutdown

Enables the interface as a Layer 3 inside interface VLAN.

Step 13 

Router(config-if)# crypto engine slot slot

Assigns the crypto engine to the inside interface VLAN.

slot—Enter the slot where the IPSec VPN SPA is located.

Step 14 

Router(config)# interface vlan outside-vlan-id

Enters interface configuration mode for the specified VLAN interface.

outside-vlan-idVLAN identifier.

Step 15 

Router(config-if)# description outside_access_vlan

(Optional) Adds a comment to help identify the interface.

Step 16 

Router(config-if)# no shutdown

Enables the interface as an outside access port VLAN.

Step 17 

Router(config-if)# crypto connect vlan inside-vlan-id

Connects the outside access port VLAN to the inside interface VLAN and enters crypto-connect mode.

inside-vlan-idVLAN identifier.

Step 18 

Router(config-if)# interface gigabitethernet slot/subslot/port

Enters interface configuration mode for the secure port.

Step 19 

Router(config-if)# description outside_secure_port

(Optional) Adds a comment to help identify the interface.

Step 20 

Router(config-if)# switchport

Configures the interface for Layer 2 switching.

Step 21 

Router(config-if)# switchport access vlan outside-vlan-id

Specifies the default VLAN for the interface.

outside-vlan-idVLAN identifier.

Step 22 

Router(config-if)# exit

Exits interface configuration mode.

For access port configuration examples, see the "Access Port in Crypto-Connect Mode Configuration Example" section.

Verifying the Access Port Configuration

To verify an access port configuration, enter the show crypto vlan command.

Router# show crypto vlan

Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to VLAN 502 with crypto 
map set MyMap

Configuring a Routed Port

This section describes how to configure the IPSec VPN SPA with a routed port connection to the WAN router (see Figure 29-3).


Note When a routed port without an IP address is crypto-connected to an interface VLAN, a hidden port VLAN is created automatically. This port VLAN is not explicitly configured by the user and does not appear in the running configuration.


Figure 29-3 Routed Port Configuration Example


Note For detailed information on configuring IKE policies, preshared key entries, Cisco IOS ACLs, and crypto maps, refer to the following Cisco IOS documentation:

Cisco IOS Security Configuration Guide
, Release 12.2, at this URL

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm

Cisco IOS Security Command Reference
, Release 12.2, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htm


Routed Port Configuration Guidelines

When configuring a routed port using the IPSec VPN SPA, follow these configuration guidelines:

When a routed port has a crypto connection, IP ACLs cannot be attached to the routed port. Instead, you can apply IP ACLs to the attached interface VLAN.

Unlike an access port or trunk port, the routed port does not use the switchport command in its configuration.

To configure a routed port connection to the WAN router, perform this task beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# crypto isakmp policy priority

...

Router(config-isakmp) # exit

Defines an ISAKMP policy and enters ISAKMP policy configuration mode.

priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.

For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide.

Step 2 

Router(config)# crypto isakmp key keystring address peer-address

Configures a preshared authentication key.

keystring—Preshared key.

peer-address—IP address of the remote peer.

For details on configuring a preshared key, see the Cisco IOS Security Configuration Guide.

Step 3 

Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]]

...

Router(config-crypto-tran)# exit

Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode.

transform-set-name—Name of the transform set.

transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms.

For accepted transformx values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference.

Step 4 

Router(config)# access list access-list-number {deny | permit} ip source source-wildcard destination destination-wildcard

Defines an extended IP access list.

access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.

{deny | permit}—Denies or permits access if the conditions are met.

source—Address of the host from which the packet is being sent.

source-wildcard—Wildcard bits to be applied to the source address.

destination—address of the host to which the packet is being sent.

destination-wildcard—Wildcard bits to be applied to the destination address.

For details on configuring an access list, see the Cisco IOS Security Configuration Guide.

Step 5 

Router(config)# crypto map map-name seq-number ipsec-isakmp

...

Router(config-crypto-map)# exit

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

map-name—Name that identifies the crypto map set.

seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority.

ipsec-isakmp— Indicates that IKE will be used to establish the IPSec security associations.

For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide.

Step 6 

Router(config)# vlan inside-vlan-id

Adds the VLAN ID into the VLAN database.

inside-vlan-idVLAN identifier.

Step 7 

Router(config)# interface vlan inside-vlan-id

Enters interface configuration mode for the specified VLAN interface.

inside-vlan-idVLAN identifier.

Step 8 

Router(config-if)# description inside_interface_vlan_for_crypto_map

(Optional) Adds a comment to help identify the interface.

Step 9 

Router(config-if)# ip address address mask

Specifies the IP address and subnet mask for the interface.

addressIP address.

maskSubnet mask.

Step 10 

Router(config-if)# crypto map map-name

Applies a previously defined crypto map set to the interface.

map-name—Name that identifies the crypto map set. Enter the map-name value you created in Step 5.

Step 11 

Router(config-if)# no shutdown

Enables the interface as a Layer 3 inside interface VLAN.

Step 12 

Router(config-if)# crypto engine slot slot

Assigns the crypto engine to the inside interface VLAN.

slot—Enter the slot where the IPSec VPN SPA is located.

Step 13 

Router(config-if)# interface gigabitethernet slot/subslot/port

Enters interface configuration mode for the secure port.

Step 14 

Router(config-if)# description outside_secure_port

(Optional) Adds a comment to help identify the interface.

Step 15 

Router(config-if)# crypto connect vlan inside-vlan-id

Connects the routed port to the inside interface VLAN and enters crypto-connect mode.

inside-vlan-idVLAN identifier.

Step 16 

Router(config-if)# exit

Exits interface configuration mode.

For routed port configuration examples, see the "Routed Port in Crypto-Connect Mode Configuration Example" section.

Verifying a Routed Port Configuration

To verify a route port configuration, enter the show crypto vlan command. In the following example, Gi 1/2 is the crypto-connected port:

Router# show crypto vlan

Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to Gi1/2 with crypto map 
set MyMap

Configuring a Trunk Port


Caution When you configure an Ethernet port as a trunk port, all the VLANs are allowed on the trunk port by default. This default configuration does not work well with the IPSec VPN SPA and causes network loops. To avoid this problem, you must explicitly specify only the desirable VLANs.

This section describes how to configure the IPSec VPN SPA with a trunk port connection to the WAN router (see Figure 29-4).

Figure 29-4 Trunk Port Configuration Example


Note Ethernet ports installed in a Cisco 7600 SIP-400 in the chassis cannot be configured as switch ports.



Note For detailed information on configuring IKE policies, preshared key entries, Cisco IOS ACLs, and crypto maps, refer to the following Cisco IOS documentation:

Cisco IOS Security Configuration Guide
, Release 12.2, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm

Cisco IOS Security Command Reference
, Release 12.2, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htm


Trunk Port Configuration Guidelines

When configuring a trunk port using the IPSec VPN SPA, follow these configuration guidelines:

When you configure a trunk port for cryptographic connection, do not use the "all VLANs allowed" default. You need to explicitly specify all the desirable VLANs using the switchport trunk allowed vlan command.

Due to an incorrect startup configuration or through the default trunk port configuration, an interface VLAN might be associated with a trunk port. When you try to remove the interface VLAN from the VLAN list, you might receive an error message similar to the following:

Command rejected:VLAN 2 is crypto connected to V502.

To remove the interface VLAN from the VLAN list, enter the following commands:

Router# configure terminal
Router(config)# interface g1gabitethernet1/2
Router(config-if)# no switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 1
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 1,502,1002-1005

Note VLANs in the VLAN list must not include any interface VLANs.


To ensure that no interface VLANs are associated when you put an Ethernet port into the trunk mode, enter the following commands in the exact order given:

Router# configure terminal
Router(config)# interface g1gabitethernet1/2
Router(config)# no shut
Router(config-if)# switchport 
Router(config-if)# switchport trunk allowed vlan 1
Router(config-if)# switchport trunk encapsulation dot1q
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 1,502,1002-1005

Note VLANs in the VLAN list must not include any interface VLANs.


A common mistake when configuring a trunk port occurs when you use the add option as follows:

Router(config-if)# switchport trunk allowed vlan add 502

If the switchport trunk allowed vlan command has not already been used, the add option does not make VLAN 502 the only allowed VLAN on the trunk port; all VLANs are still allowed after entering the command because all the VLANs are allowed by default. After you use the switchport trunk allowed vlan command to add a VLAN, you can then use the switchport trunk allowed vlan add command to add additional VLANs.

To remove unwanted VLANs from a trunk port, use the switchport trunk allowed vlan remove command.


Caution Do not enter the switchport trunk allowed vlan all command on a secured trunk port. In addition, do not set the IPSec VPN SPA inside and outside ports to "all VLANs allowed."

To configure a trunk port connection to the WAN router, perform this task beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# crypto isakmp policy priority

...

Router(config-isakmp) # exit

Defines an ISAKMP policy and enters ISAKMP policy configuration mode.

priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.

For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide.

Step 2 

Router(config)# crypto isakmp key keystring address peer-address

Configures a preshared authentication key.

keystring—Preshared key.

peer-address—IP address of the remote peer.

For details on configuring a preshared key, see the Cisco IOS Security Configuration Guide.

Step 3 

Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]]

...

Router(config-crypto-tran)# exit

Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode.

transform-set-name—Name of the transform set.

transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms.

For accepted transformx values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference.

Step 4 

Router(config)# access list access-list-number {deny | permit} ip source source-wildcard destination destination-wildcard

Defines an extended IP access list.

access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.

{deny | permit}—Denies or permits access if the conditions are met.

source—Address of the host from which the packet is being sent.

source-wildcard—Wildcard bits to be applied to the source address.

destination—Address of the host to which the packet is being sent.

destination-wildcard—Wildcard bits to be applied to the destination address.

For details on configuring an access list, see the Cisco IOS Security Configuration Guide.

Step 5 

Router(config)# crypto map map-name seq-number ipsec-isakmp

...

Router(config-crypto-map)# exit

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

map-name—Name that identifies the crypto map set.

seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority.

ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations.

For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide.

Step 6 

Router(config)# vlan inside-vlan-id

Adds the VLAN ID into the VLAN database.

inside-vlan-idVLAN identifier.

Step 7 

Router(config)# vlan outside-vlan-id

Adds the VLAN ID into the VLAN database.

outside-vlan-idVLAN identifier.

Step 8 

Router(config)# interface vlan inside-vlan-id

Enters interface configuration mode for the specified VLAN interface.

inside-vlan-idVLAN identifier.

Step 9 

Router(config-if)# description inside_interface_vlan_for_crypto_map

(Optional) Adds a comment to help identify the interface.

Step 10 

Router(config-if)# ip address address mask

Specifies the IP address and subnet mask for the interface.

addressIP address.

maskSubnet mask.

Step 11 

Router(config-if)# crypto map map-name

Applies a previously defined crypto map set to the interface.

map-name—Name that identifies the crypto map set. Enter the map-name value you created in Step 5.

Step 12 

Router(config-if)# no shutdown

Enables the interface as a Layer 3 inside interface VLAN.

Step 13 

Router(config-if)# crypto engine slot slot

Assigns the crypto engine to the inside interface VLAN.

slot—Enter the slot where the IPSec VPN SPA is located.

Step 14 

Router(config)# interface vlan outside-vlan-id

Adds the specified VLAN interface as an outside trunk port VLAN and enters interface configuration mode for the specified VLAN interface.

outside-vlan-idVLAN identifier.

Step 15 

Router(config-if)# description outside_trunk_port_vlan

(Optional) Adds a comment to help identify the interface.

Step 16 

Router(config-if)# crypto connect vlan inside-vlan-id

Connects the outside trunk port VLAN to the inside interface VLAN and enters crypto connect mode.

inside-vlan-idVLAN identifier.

Step 17 

Router(config-if)# no shutdown

Enables the interface as a Layer 3 inside interface VLAN.

Step 18 

Router(config-if)# interface gigabitethernet slot/subslot/port

Enters interface configuration mode for the secure port.

Step 19 

Router(config-if)# description outside_secure_port

(Optional) Adds a comment to help identify the interface.

Step 20 

Router(config-if)# switchport

Configures the interface for Layer 2 switching.

Step 21 

Router(config-if)# no switchport access vlan

Resets the access VLAN to the appropriate default VLAN for the device.

Step 22 

Router(config-if)# switchport trunk encapsulation dot1q

Sets the trunk encapsulation to 802.1Q.

Step 23 

Router(config-if)# switchport mode trunk

Specifies a trunk VLAN Layer 2 interface.

Step 24 

Router(config-if)# switchport trunk allowed vlan remove vlan-list

Removes the specified list of VLANs from those currently set to transmit from this interface.

vlan-list—List of VLANs that transmit the interface in tagged format when in trunking mode. Valid values are from 1 to 4094.

Step 25 

Router(config-if)# switchport trunk allowed vlan add outside-vlan-id

Adds the specified VLAN to the list of VLANs currently set to transmit from this interface.

outside-vlan-idVLAN identifier from step 14.

Step 26 

Router(config-if)# exit

Exits interface configuration mode.

For trunk port configuration examples, see the "Trunk Port in Crypto-Connect Mode Configuration Example" section.

Verifying the Trunk Port Configuration

To verify the VLANs allowed by a trunk port, enter the show interfaces trunk command. The following display shows that all VLANs are allowed:

Router# show interfaces GigabitEthernet 1/2 trunk

Port      Mode         Encapsulation  Status        Native vlan
Gi1/2     on           802.1q         trunking      1

Port      Vlans allowed on trunk
Gi1/2     1-4094

Port      Vlans allowed and active in management domain
Gi1/2     1-4,7-8,513,1002-1005

Port      Vlans in spanning tree forwarding state and not pruned
Gi1/2     1-4,7-8,513,1002-1005

Configuring IPSec VPN SPA Connections to WAN Interfaces

The configuration of IPSec VPN SPA connections to WAN interfaces is similar to the configuration of Ethernet routed interfaces.

IPSec VPN SPA Connections to WAN Interfaces Configuration Guidelines and Restrictions

When configuring a connection to a WAN interface using an IPSec VPN SPA, follow these guidelines and note these restrictions:

To configure an IPSec VPN SPA connection to a WAN interface, make a crypto connection from the WAN subinterface to the interface VLAN as follows:

Router(config)# interface Vlan101
Router(config-if)# ip address 192.168.101.1 255.255.255.0
Router(config-if)# no mop enabled
Router(config-if)# crypto map cwan

Router(config)# interface ATM6/0/0.101 point-to-point
Router(config-subif)# pvc 0/101
Router(config-subif)# crypto connect vlan 101

You must configure a crypto connection on subinterfaces for ATM and Frame Relay.

For ATM, there is no SVC support, no RFC-1483 bridging, and no point-to-multipoint support.

For Frame Relay, there is no SVC support, no RFC-1490 bridging, and no point-to-multipoint support.

For Point-to-Point Protocol (PPP) and Multilink PPP (MLP), you must make the physical interface passive for routing protocols, as follows:

Router(config)# router ospf 10
Router(config)# passive-interface multilink1

For PPP and MLP, an ip unnumbered Null0 command is automatically added to the port configuration to support IPCP negotiation. If you configure a no ip address command on the WAN port in the startup configuration, the no ip address command will be automatically removed in the running configuration so that it does not conflict with the automatic configuration.

For PPP and MLP, there is no Bridging Control Protocol (BCP) support.

When enabled on an inside VLAN, OSPF will be configured in broadcast network mode by default, even when a point-to-point interface (such as T1, POS, serial, or ATM) is crypto-connected to the inside VLAN. In addition, if OSPF is configured in point-to-point network mode on the peer router (for example, a transit router with no crypto card), OSPF will not establish full adjacency. In this case, you can manually configure OSPF network point-to-point mode in the inside VLAN:

Router(config)# interface vlan inside-vlan
Router(config-if)# ip ospf network point-to-point

For IPSec VPN SPA connections to WAN interfaces configuration examples, see the "IPSec VPN SPA Connections to WAN Interfaces Configuration Examples" section

Displaying the VPN Running State

Use the show crypto vlan command to display the VPN running state. The following examples show the show crypto vlan command output for a variety of IPSec VPN SPA configurations.

In the following example, the interface VLAN belongs to the IPSec VPN SPA inside port:

Router# show crypto vlan

  Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to Fa8/3

In the following example, VLAN 2 is the interface VLAN and VLAN 2022 is the hidden VLAN:

Router# show crypto vlan

Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to VLAN 2022 with crypto 
map set coral2

In the following example, the interface VLAN is missing on the IPSec VPN SPA inside port, the IPSec VPN SPA is removed from the chassis, or the IPSec VPN SPA was moved to a different subslot:

Router# show crypto vlan

  Interface VLAN 2 connected to VLAN 502 (no IPSec Service Module attached)

Configuring VPNs in VRF Mode

The VRF-Aware IPSec feature, known as VRF mode, allows you to map IPSec tunnels to VPN routing and forwarding instances (VRFs) using a single public-facing address.

A VRF instance is a per-VPN routing information repository that defines the VPN membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and CEF tables is maintained for each VPN customer.


Note Front door VRF (FVRF) is only supported as of Cisco IOS Release 12.2(33)SRA and later.


Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, called the front door VRF (FVRF), while the inner, protected IP packet belongs to another domain called the Inside VRF (IVRF). Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.

One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the ISAKMP profile that is attached to a crypto map entry.

With VRF mode, packets belonging to a specific VRF are routed through the IPSec VPN SPA for IPSec processing. Through the CLI, you associate a VRF with an interface VLAN that has been configured to point to the IPSec VPN SPA. An interface VLAN must be created for each VRF. Packets traveling from an MPLS cloud to the Internet that are received from an inside VRF are routed to an interface VLAN, and then to the IPSec VPN SPA for IPSec processing. The IPSec VPN SPA modifies the packets so that they are placed on a special Layer 3 VLAN for routing to the WAN-side port after they leave the IPSec VPN SPA.


Note Inside VRFs are the VRFs on the unprotected (LAN) side.


Packets traveling in the inbound direction from a protected port on which the crypto engine slot command has been entered are redirected by a special ACL to the IPSec VPN SPA, where they are processed according to the Security Parameter Index (SPI) contained in the packet's IPSec header. Processing on the IPSec VPN SPA ensures that the decapsulated packet is mapped to the appropriate interface VLAN corresponding to the inside VRF. This interface VLAN has been associated with a specific VRF, so packets are routed within the VRF to the correct inside interface.


Note Tunnel protection is supported in VRF mode. For information on configuring tunnel protection, see the "Configuring VPNs in VRF Mode with Tunnel Protection" section and the "VRF Mode Configuration Example 5 (Tunnel Protection)" section.


The following subsections describe how to configure a VPN in VRF mode with and without tunnel protection on the IPSec VPN SPA:

Understanding VPN Configuration in VRF Mode

VRF Mode Configuration Guidelines and Restrictions

Configuring VPNs in VRF Mode without Tunnel Protection

Configuring VPNs in VRF Mode with Tunnel Protection

Configuring VRF Mode with Chassis-to-Chassis Stateless Failover

Understanding VPN Configuration in VRF Mode

In the traditional crypto-connect mode, a VPN is configured by attaching crypto maps to interface VLANs and then crypto-connecting a physical port to the interface VLAN. When configuring a VPN in VRF mode using the IPSec VPN SPA, the model of interface VLANs is preserved, but the crypto connect vlan CLI command is not used. When a packet comes into an interface on a specific VRF, the packet must get to the proper interface VLAN. A route must be installed so that packets destined for that particular subnet in that particular VRF are directed to that interface VLAN. This function can be achieved through the following configuration options:

Configuring an IP address on the interface VLAN that is in the same subnet as the packets' destination IP address. For example, packets are trying to reach subnet 10.1.1.x and their destination IP address is 10.1.1.1 as follows:

int vlan 100
 ip vrf forwarding coke
 ip address 10.1.1.254  255.255.255.0 <-- same subnet as 10.1.1.x that we are trying 
to reach.
 crypto map mymap
 crypto engine slot 4/1

Configuring a static route as follows:

ip route vrf coke 10.1.1.0 255.255.255.0 vlan 100

Configuring routing protocols. You configure BGP, OSPF, or other routing protocols so that remote routers broadcast their routes.


Note Do not configure routing protocols unless you are using tunnel protection.


Configuring Reverse Route Injection (RRI). You configure RRI so that a route gets installed when the remote end initiates an IPSec session (as in remote access situations).

With VRF mode, the router sees the interface VLAN as a point-to-point connection; the packets are placed directly onto the interface VLAN. Each VRF has its own interface VLAN.

When a crypto map is attached to an interface VLAN and the ip vrf forwarding command has associated that VLAN with a particular VRF, the software creates a point-to-point connection so that all routes pointing to the interface VLAN do not attempt to run the Address Resolution Protocol (ARP). Through normal routing within the VRF, packets to be processed by the IPSec VPN SPA are sent to the interface VLAN. You may configure features on the interface VLAN. The IP address of the interface VLAN must be on the same subnet as the desired destination subnet for packets to be properly routed.

When you enter the ip vrf forwarding command on an inside interface, all packets coming in on that interface are routed correctly within that VRF.

When you enable the crypto engine mode vrf command and enter the crypto engine slot outside command on an interface, a special ACL is installed that forces all incoming Encapsulating Security Payload (ESP)/Authentication Header (AH) IPSec packets addressed to a system IP address to be sent to the IPSec VPN SPA WAN-side port. NAT Traversal (NAT-T) packets are also directed to the IPSec VPN SPA by the special ACL.


Note You must enter the vrf vrf_name command from within the context of an ISAKMP profile. This command does not apply to the VRF-aware crypto infrastructure; it applies only to generic crypto processing. When the ISAKMP profile is added to a crypto map set, the VRF becomes the default VRF for all of the crypto maps in the list. Individual crypto maps may override this default VRF by specifying another policy profile that contains a different VRF. If no profile is applied to a crypto map tag, it inherits the VRF from the interface if you have configured the interface with the ip vrf forwarding command.

All packets destined for a protected outside interface received in this VRF context are placed on the associated interface VLAN. Similarly, all decapsulated ingress packets associated with this VRF are placed on the appropriate interface VLAN so that they may be routed in the proper VRF context.


VRF Mode Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring a VPN for the IPSec VPN SPA using VRF mode:


Note After enabling or disabling VRF mode using the [no] crypto engine mode vrf command, you must reload the supervisor engine. In addition, MPLS tunnel recirculation must be enabled for VRF mode. That is, you must add the mls mpls tunnel-recir command before entering the crypto engine mode vrf command.


The procedure for configuring a VPN in VRF mode varies based on whether you are using tunnel protection or not.

As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases has been replaced with the crypto engine slot command (of the form crypto engine slot slot {inside | outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that this command has been modified in your start-up configuration to avoid extended maintenance time.

As of Cisco IOS Release 12.2(33)SRA, the ip vrf forwarding command is no longer required when configuring GRE with tunnel protection.

When you create an ISAKMP profile, note the following guidelines regarding the use of the vrf command:

You must use the vrf command if you are using the ISAKMP profile with a crypto map.

You are not required to use the vrf command if you are using the ISAKMP profile with tunnel protection.

You should not use the vrf command if you are using the ISAKMP profile with DMVPN.

When the ip vrf forwarding command is applied to a VLAN, any previously existing IP address assigned to that VLAN is removed. To assign an IP address to the VLAN, enter the ip address command after the ip vrf forwarding command, not preceding it.

Features Supported in VRF Mode

Supported features in VRF mode are as follows:

Remote access into a VRF (provider edge [PE]) with the following:

Reverse Route Injection (RRI)

Proxy AAA (one VRF is proxied to a dedicated AAA)

Customer edge-provider edge (CE-PE) encryption using tunnel protection with the following:

Routing update propagation between CEs

IGP/eBGP routing update propagation between the PE and CEs

Overlapping IP address space in VRFs

Chassis-to-chassis stateless failover (PE-to-PE failover)

1024 TP tunnels

DMVPN (Cisco IOS Release 12.2(18)SXE and later)

More than one IPSec VPN SPA in a chassis


Note Although more than one IPSec VPN SPA in a chassis is supported beginning with Cisco IOS
Release 12.2(18) SXE, in VRF mode, there is no configuration difference between multiple IPSec VPN SPA operation and single IPSec VPN SPA operation. For multiple IPSec VPN SPA operation, the only change is to the output of the show crypto vlan command. The following is an example:

Interface Tu1 on IPSec Service Module port Gi7/1/1 connected to VRF vrf1
Interface VLAN 2 on IPSec Service Module port Gi7/1/1 connected to VRF vrf2


The IPSec VPN SPA supports one or more outside interfaces (the exact number is determined by your system resources).

Inside VRFs (IVRFs), the VRFs on the unprotected (LAN) side, are supported.

As of Cisco IOS Release 12.2(33)SRA, front door VRFs (FVRFs) are now supported.

Features Not Supported in VRF Mode

Unsupported features in VRF mode are as follows:

Chassis-to-chassis stateful failover (PE-to-PE failover, also known as "IPSec Stateful Failover Using HSRP and SSP") is not supported in Cisco IOS Release 12.2(33)SRA.

CE-PE IPSec-only tunnels

MPLS over GRE (tag switching on tunnel interfaces)

PE-PE encryption (IPSec only) over MPLS

PE-PE encryption (tunnel protection) over MPLS

Nested tunnels or transit IPSec packets

Multicast VPN (MVPN)


Note Multicast VPN is supported only to the extent that Cisco IOS supports it; multicast traffic is not accelerated by the IPSec VPN SPA. IPSec does not operate on multicast packets; if these packets go through the IPSec VPN SPA, they will be passed through.


Non-IP version 4 traffic over TP tunnels


Note Non-IP version 4 packets are supported by Cisco IOS. IPSec does not operate on Non-IP version 4 packets; if these packets go through the IPSec VPN SPA, they will be passed through.


Applying an ACL to the ingress interface will interfere with the packet flow


Note Do not apply an ACL during the configuration of VRF mode.


QoS support

Policy-based routing (PBR)

Path MTU discovery

Secondary IP addresses on interfaces

The reverse route remote peer option

Unlike IPSec VPN SPA crypto-connect mode configurations, when configuring VPNs in VRF mode, you do not use the crypto connect vlan command.

Configuring VPNs in VRF Mode without Tunnel Protection


Note For detailed information on configuring IKE policies, preshared key entries, Cisco IOS ACLs, and crypto maps, refer to the following Cisco IOS documentation:

VRF-Aware IPSec feature guide, Release 12.2, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm

Cisco IOS Security Configuration Guide, Release 12.2, at this URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_book09186a0080087df1.html

Cisco IOS Security Command Reference
, Release 12.2, at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html


To configure a VPN in VRF mode with crypto maps and without tunnel protection, perform this task beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# mls mpls tunnel-recir

Enables tunnel-MPLS recirculation.

Step 2 

Router(config)# crypto engine mode vrf

Enables VRF mode for the IPSec VPN SPA.

Note After enabling or disabling VRF mode using the crypto engine mode vrf command, you must reload the supervisor engine.

Step 3 

Router(config)# ip vrf vrf-name

Configures a VRF routing table and enters VRF configuration mode.

vrf-name—Name assigned to the VRF.

Step 4 

Router(config-vrf)# rd route-distinguisher

Creates routing and forwarding tables for a VRF.

route-distinguisherSpecifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1).

Step 5 

Router(config-vrf)# route-target export route-target-ext-community

Creates lists of export route-target extended communities for the specified VRF.

route-target-ext-communitySpecifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Enter the route-distinguisher value specified in Step 3.

Step 6 

Router(config-vrf)# route-target import route-target-ext-community

Creates lists of import route-target extended communities for the specified VRF.

route-target-ext-communitySpecifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Enter the route-distinguisher value specified in Step 3.

Step 7 

Router(config-vrf)# exit

Exits VRF configuration mode.

Step 8 

Router(config)# crypto keyring keyring-name [vrf fvrf-name]

Defines a crypto keyring to be used during IKE authentication and enters keyring configuration mode.

keyring-name—Name of the crypto keyring.

fvrf-name—(Optional) Front door virtual routing and forwarding (FVRF) name to which the keyring will be referenced. fvrf-name must match the FVRF name that was defined during virtual routing and forwarding (VRF) configuration

Step 9 

Router(config-keyring)# pre-shared-key {address address [mask] | hostname hostname} key key

Defines a preshared key to be used for IKE authentication.

address [mask]—IP address of the remote peer or a subnet and mask.

hostname—Fully qualified domain name of the peer.

key—Specifies the secret key.

Step 10 

Router(config-keyring)# exit

Exits keyring configuration mode.

Step 11 

Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]]

Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode.

transform-set-name—Name of the transform set.

transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms. Accepted values are described in the Cisco IOS Security Command Reference.

Step 12 

Router(config-crypto-trans)# exit

Exits crypto transform configuration mode

Step 13 

Router(config)# crypto isakmp policy priority

Defines an IKE policy and enters ISAKMP policy configuration mode.

priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.

Step 14 

Router(config-isakmp)# authentication pre-share

Specifies the authentication method with an IKE policy.

pre-share—Specifies preshared keys as the authentication method.

Step 15 

Router(config-isakmp)# lifetime seconds

Specifies the lifetime of an IKE SA.

seconds—Number of seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds. Default is 86,400 (one day).

Step 16 

Router(config-isakmp)# exit

Exits ISAKMP policy configuration mode.

Step 17 

Router(config)# crypto isakmp profile profile-name

Defines an ISAKMP profile and enters ISAKMP profile configuration mode.

profile-name—Name of the user profile.

Step 18 

Router(config-isa-prof)# vrf ivrf

Defines the VRF to which the IPSec tunnel will be mapped.

ivrf—Name of the VRF to which the IPSec tunnel will be mapped. Enter the same value specified in Step 2.

Step 19 

Router(config-isa-prof)# keyring keyring-name

Configures a keyring within an ISAKMP profile.

keyring-name—Keyring name. This name must match the keyring name that was defined in global configuration. Enter the value specified in Step 7.

Step 20 

Router(config-isa-prof)# match identity address address [mask] [vrf]

Matches an identity from a peer in an ISAKMP profile.

address [mask]—IP address of the remote peer or a subnet and mask.

[vrf]—(Optional) This argument is only required when configuring a front door VRF (FVRF). This argument specifies that the address is an FVRF instance.

Step 21 

Router(config-isa-prof)# exit

Exits ISAKMP profile configuration mode.

Step 22 

Router(config)# access list access-list-number {deny | permit} ip host source host destination

Defines an extended IP access list.

access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.

{deny | permit}—Denies or permits access if the conditions are met.

source—Number of the host from which the packet is being sent.

destination—Number of the host to which the packet is being sent.

Step 23 

Router(config)# crypto map map-name seq-number ipsec-isakmp

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

map-name—Name that identifies the crypto map set.

seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority.

ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations.

Step 24 

Router(config-crypto-map)# set peer {hostname | ip-address}

Specifies an IPSec peer in a crypto map entry.

{hostname | ip-address}—IPSec peer host name or IP address. Enter the value specified in Step 19.

Step 25 

Router(config-crypto-map)# set transform-set transform-set-name

Specifies which transform sets can be used with the crypto map entry.

transform-set-name—Name of the transform set. Enter the value specified in Step 10.

Step 26 

Router(config-crypto-map)# set isakmp-profile profile-name

Sets the ISAKMP profile name.

profile-name—Name of the ISAKMP profile. Enter the value entered in Step 16.

Step 27 

Router(config-crypto-map)# match address [access-list-id | name]

Specifies an extended access list for the crypto map entry.

access-list-id—Identifies the extended access list by its name or number. Enter the value specified in Step 21.

name—(Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched.

Step 28 

Router(config-crypto-map)# exit

Exits crypto map configuration mode.

Step 29 

Router(config)# crypto map map-name local-address interface-id

Specifies and names an identifying interface to be used by the crypto map for IPSec traffic.

map-name—Name that identifies the crypto map set. Enter the value specified in Step 22.

local-address interface-id—Name of interface that has the local address of the router.

Note In VRF mode, the VPN feature supports up to 1023 local addresses. This limit is across the chassis (not per VPN module).

Step 30 

Router(config)# interface fastethernet slot/port

Configures a Fast Ethernet interface and enters interface configuration mode.

Step 31 

Router(config-if)# ip vrf forwarding vrf-name

Associates a VRF with an interface or subinterface.

vrf-nameName assigned to the VRF. Enter the value specified in Step 2.

Step 32 

Router(config-if)# ip address address mask

Sets a primary or secondary IP address for the interface.

addressIP address.

maskSubnet mask.

Step 33 

Router(config-if)# no shutdown

Enables the interface.

Step 34 

Router(config-if)# interface gigabitethernet slot/subslot/port

Configures a Gigabit Ethernet interface. Match the value specified as the interface-id in step 28.

Step 35 

Router(config-if)# ip vrf forwarding vrf-name

(Optional) Associates a VRF with an interface or subinterface.

· vrf-name—Name assigned to the VRF.

Step 36 

Router(config-if)# ip address address mask

Sets a primary or secondary IP address for an interface.

addressIP address.

maskSubnet mask.

Step 37 

Router(config-if)# crypto engine slot slot outside

Assigns the specified crypto engine to the interface.

slot—Enter the slot where the IPSec VPN SPA is located.

Step 38 

Router(config-if)# no shutdown

Enables the interface.

Step 39 

Router(config-if)# exit

Exits interface configuration mode.

Step 40 

Router(config)# interface vlan-id

Configures a VLAN interface and enters interface configuration mode.

vlan-idVLAN identifier.

Step 41 

Router(config-if)# ip vrf forwarding vrf-name

Associates a VRF with an interface or subinterface.

vrf-nameName assigned to the VRF. Enter the value specified in Step 2.

Step 42 

Router(config-if)# ip address address mask

Sets a primary or secondary IP address for the interface.

addressIP address.

maskSubnet mask.

Step 43 

Router(config-if)# crypto map map-name

Applies a previously defined crypto map set to an interface.

map-name—Name that identifies the crypto map set. Enter the value specified in Step 22.

Step 44 

Router(config-if)# crypto engine slot slot inside

Assigns the specified crypto engine to the interface.

slot—Enter the slot where the IPSec VPN SPA is located.

Step 45 

Router(config-if)# exit

Exits interface configuration mode.

Step 46 

Router(config)# ip route vrf vrf-name prefix mask interface-number

Establishes static routes for a VRF.

vrf-nameName of the VRF for the static route. Enter the value specified in Step 2.

prefixIP route prefix for the destination, in dotted-decimal format.

maskPrefix mask for the destination, in dotted decimal format.

interface-numberNumber identifying the network interface to use. Enter the vlan-id value specified in Step 40.

Step 47 

Router(config)# end

Returns to privileged EXEC mode.

For complete configuration information for VRF-Aware IPSec, refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm

For a configuration example, see the "VRF Mode Configuration Example 1 (Basic Configuration)" section.

Configuring VPNs in VRF Mode with Tunnel Protection


Note Tunnel protection is supported only in VRF mode.


This section describes how to configure a VPN in VRF mode on the IPSec VPN SPA with tunnel protection (TP). When you configure IPSec, a crypto map is attached to an interface to enable IPSec. With tunnel protection, there is no need for a crypto map or ACL to be attached to the interface. A crypto policy is attached directly to the tunnel interface. Any traffic routed by the interface is encapsulated in GRE and then encrypted using IPSec. The tunnel protection feature can be applied to point-to-point GRE.

VRF Mode Using Tunnel Protection Configuration Guidelines and Restrictions

When configuring tunnel protection on theIPSec VPN SPA follow these guidelines and restrictions:

For tunnel protection to work, the IPSec VPN SPA must seize the GRE tunnel. Do not configure any options (such as sequence numbers or tunnel keys) that prevent the IPSec VPN SPA from seizing the GRE tunnel.

Do not configure the GRE tunnel keepalive feature.

The ip vrf forwarding command is no longer required when configuring GRE with tunnel protection.

To configure a VPN in VRF mode using tunnel protection, perform this task beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# mls mpls tunnel-recir

Enables tunnel-MPLS recirculation.

Step 2 

Router(config)# crypto engine mode vrf

Enables VRF mode for the IPSec VPN SPA.

Note After enabling or disabling VRF mode using the crypto engine mode vrf command, you must reload the supervisor engine.

Step 3 

Router(config)# ip vrf vrf-name

Configures a VRF routing table and enters VRF configuration mode.

vrf-name—Name assigned to the VRF.

Step 4 

Router(config-vrf)# rd route-distinguisher

Creates routing and forwarding tables for a VRF.

route-distinguisherSpecifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1).

Step 5 

Router(config-vrf)# route-target export route-target-ext-community

Creates lists of export route-target extended communities for the specified VRF.

route-target-ext-communitySpecifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Enter the route-distinguisher value specified in Step 3.

Step 6 

Router(config-vrf)# route-target import route-target-ext-community

Creates lists of import route-target extended communities for the specified VRF.

route-target-ext-communitySpecifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Enter the route-distinguisher value specified in Step 3.

Step 7 

Router(config-vrf)# exit

Exits VRF configuration mode.

Step 8 

Router(config)# crypto keyring keyring-name [vrf fvrf-name]

Defines a crypto keyring to be used during IKE authentication and enters keyring configuration mode.

keyring-name—Name of the crypto keyring.

fvrf-name—(Optional) Front door virtual routing and forwarding (FVRF) name to which the keyring will be referenced. fvrf-name must match the FVRF name that was defined during virtual routing and forwarding (VRF) configuration.

Step 9 

Router(config-keyring)# pre-shared-key {address address [mask] | hostname hostname} key key

Defines a preshared key to be used for IKE authentication.

address [mask]—IP address of the remote peer or a subnet and mask.

hostname—Fully qualified domain name of the peer.

key—Specifies the secret key.

Step 10 

Router(config-keyring)# exit

Exits keyring configuration mode.

Step 11 

Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]]

Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode.

transform-set-name—Name of the transform set.

transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms. Accepted values are described in the Cisco IOS Security Command Reference.

Step 12 

Router(config-crypto-trans)# exit

Exits crypto transform configuration mode

Step 13 

Router(config)# crypto isakmp policy priority

Defines an IKE policy and enters ISAKMP policy configuration mode.

priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.

Step 14 

Router(config-isakmp)# authentication pre-share

Specifies the authentication method with an IKE policy.

pre-share—Specifies preshared keys as the authentication method.

Step 15 

Router(config-isakmp)# lifetime seconds

Specifies the lifetime of an IKE SA.

seconds—Number of seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds. Default is 86,400 (one day.)

Step 16 

Router(config-isakmp)# exit

Exits ISAKMP policy configuration mode.

Step 17 

Router(config)# crypto isakmp profile profile-name

Defines an ISAKMP profile and enters ISAKMP profile configuration mode

profile-name—Name of the user profile.

Step 18 

Router(config-isa-prof)# keyring keyring-name

Configures a keyring within an ISAKMP profile.

keyring-name—Keyring name. This name must match the keyring name that was defined in global configuration. Enter the value specified in Step 7.

Step 19 

Router(config-isa-prof)# match identity address address [mask]

Matches an identity from a peer in an ISAKMP profile.

address [mask]—IP address of the remote peer or a subnet and mask.

Step 20 

Router(config-isa-prof)# exit

Exits ISAKMP profile configuration mode.

Step 21 

Router(config)# access list access-list-number {deny | permit} ip host source host destination

Defines an extended IP access list.

access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.

{deny | permit}—Denies or permits access if the conditions are met.

source—Number of the host from which the packet is being sent.

destination—Number of the host to which the packet is being sent.

Step 22 

Router(config)# crypto ipsec profile profile-name

Defines an IPSec profile and enters IPSec profile configuration mode.

profile-name—Name of the user profile.

Step 23 

Router(config-ipsec-profile)# set transform-set transform-set-name

Specifies which transform sets can be used with the crypto map entry.

transform-set-name—Name of the transform set. Enter the value specified in Step 10.

Step 24 

Router(config-ipsec-profile)# set isakmp-profile profile-name

Sets the ISAKMP profile name.

profile-name—Name of the ISAKMP profile. Enter the value entered in Step 16.

Step 25 

Router(config-ipsec-profile)# exit

Exits IPSec profile configuration mode.

Step 26 

Router(config)# interface interface-name

Configures a tunnel interface and enters interface configuration mode.

interface-name—Name assigned to the interface.

Step 27 

Router(config-if)# ip vrf forwarding vrf-name

Associates a VRF with an interface or subinterface.

vrf-nameName assigned to the VRF. Enter the value specified in Step 2.

Step 28 

Router(config-if)# ip address address mask

Sets a primary or secondary IP address for the interface.

addressIP address.

maskSubnet mask.

Step 29 

Router(config-if)# tunnel source ip-address

Sets the source address of a tunnel interface.

ip-address—IP address to use as the source address for packets in the tunnel.

Step 30 

Router(config-if)# tunnel vrf vrf-name

(Optional) Associates a VPN routing and forwarding instance (VRF) with a specific tunnel destination, interface or subinterface. This step is only required when configuring a front door VRF (FVRF).

· vrf-name—Name assigned to the VRF.

Step 31 

Router(config-if)# tunnel destination ip-address

Sets the destination address of a tunnel interface.

ip-address—IP address to use as the destination address for packets in the tunnel.

Step 32 

Router(config-if)# tunnel protection ipsec crypto-policy-name

Associates a tunnel interface with an IPSec profile.

crypto-policy-name—Enter the value specified in Step 22.

Step 33 

Router(config-if)# crypto engine slot slot inside

Assigns the specified crypto engine to the interface.

slot—Enter the slot where the IPSec VPN SPA is located.

Step 34 

Router(config-if)# interface fastethernet slot/subslot

Configures a Fast Ethernet interface.

Step 35 

Router(config-if)# ip vrf forwarding vrf-name

Associates a VRF with an interface or subinterface.

vrf-nameName assigned to the VRF.

Step 36 

Router(config-if)# ip address address mask

Sets a primary or secondary IP address for an interface.

addressIP address.

maskSubnet mask.

Step 37 

Router(config-if)# no shutdown

Enables the interface.

Step 38 

Router(config-if)# interface gigabitethernet slot/subslot/port

Configures a Gigabit Ethernet interface.

Step 39 

Router(config-if)# ip vrf forwarding vrf-name

(Optional) Associates a VRF with an interface or subinterface.

vrf-nameName assigned to the VRF.

Step 40 

Router(config-if)# ip address address mask

Sets a primary or secondary IP address for an interface.

addressIP address. Enter the value specified in Step 29.

maskSubnet mask.

Step 41 

Router(config-if)# crypto engine slot slot outside

Assigns the specified crypto engine to the interface.

slot—Enter the slot where the IPSec VPN SPA is located.

Step 42 

Router(config-if)# no shutdown

Enables the interface.

Step 43 

Router(config-if)# exit

Exits interface configuration mode.

For a configuration example, see the "VRF Mode Configuration Example 5 (Tunnel Protection)" section.

Configuring VRF Mode with Chassis-to-Chassis Stateless Failover

VRF mode with chassis-to-chassis stateless failover is supported, but it is configured differently than in non-VRF (crypto-connect) mode. In VRF mode, the HSRP configuration goes on the physical interface, but the crypto map is added to the interface VLAN. In non-VRF mode, both the HSRP configuration and the crypto map are on the same interface.

For a configuration example of VRF mode with stateless failover, see the "VRF Mode Configuration Example 6 (Chassis-to-Chassis Stateless Failover)" section.

Configuring GRE Tunneling

In addition to choosing to configure your VPN using crypto-connect mode or VRF mode, the following additional GRE configuration options are available:

Configuring GRE Tunneling in Crypto-Connect Mode

Configuring GRE Tunneling in VRF Mode

Configuring the GRE Takeover Criteria

Configuring IP Multicast over a GRE Tunnel

Configuring GRE Tunneling in Crypto-Connect Mode

Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to routers at remote points over an IP network. When GRE is used in conjunction with IPSec, only tunnel mode can be used. Tunnel mode adds an IPSec header to the GRE packet.


Note The IPSec VPN SPA is able to accelerate packet processing for up to 2048 GRE tunnels per chassis; excess tunnels go through the route processor. The router supports any number of GRE tunnels, but adding more IPSec VPN SPAs does not increase the 2048 tunnels per-chassis maximum. If you configure more than 2048 tunnels per chassis, you could overload the route processor. Monitor the route processor CPU utilization when configuring more than 2048 tunnels per chassis.



Note In Cisco IOS Release 12.2(18)SXF, the GRE fragmentation behavior of the VPN module is changed to be consistent with the fragmentation behavior of the route processor. If GRE encapsulation is performed by the VPN module, prefragmentation of outbound packets will be based on the IP MTU of the tunnel interface. After GRE encapsulation is performed by the VPN module, depending on the IPSec LAF (look ahead fragmentation) settings, further fragmentation may occur. The IPSec fragmentation behavior is unchanged in this release, and is based on the IPSec MTU configuration of the egress interface.


GRE Tunneling Configuration Guidelines

When configuring GRE tunneling using the IPSec VPN SPA, follow these guidelines:

In a Cisco 7600 series router, GRE encapsulation and decapsulation is traditionally performed by the route processor or the supervisor engine hardware. When routing indicates that encapsulated packets for a GRE tunnel will egress through an interface VLAN that is attached to an IPSec VPN SPA inside port, the IPSec VPN SPA attempts to take over the GRE tunnel interface only if the Supervisor Engine 720 is unable to process the GRE tunnel interface in hardware. If the Supervisor Engine 720 cannot process the GRE tunnel interface in hardware, the IPSec VPN SPA will determine if it can take over the interface. By seizing the tunnel, the IPSec VPN SPA takes the GRE encapsulation and decapsulation duty from the route processor. No explicit configuration changes are required to use this feature; configure GRE as you normally would. As long as routing sends the GRE-encapsulated packets over an interface VLAN, the IPSec VPN SPA will seize the GRE tunnel.

The following are cases where the supervisor engine will not take over the tunnel but the IPSec VPN SPA will take over the tunnel if it meets the criteria discussed in the previous list item:

If the same source address is used for more than one GRE tunnel, the supervisor engine will only take over the first tunnel, but not subsequent tunnels.

If the HSRP virtual IP address is configured as the source address of the tunnel, the supervisor engine will not take over the tunnel.

One VLAN is used for each GRE tunnel regardless of whether the IPSec VPN SPA takes over the tunnel.

If routing information changes and the GRE-encapsulated packets no longer egress through an interface VLAN, the IPSec VPN SPA yields the GRE tunnel. After the IPSec VPN SPA yields the tunnel, the route processor resumes encapsulation and decapsulation, which increases CPU utilization on the route processor.


Caution Ensure that your GRE tunnel configuration does not overload the route processor.

A delay of up to 10 seconds occurs between routing changes and the IPSec VPN SPA seizing the GRE tunnel.

Do not attach a crypto map set to a generic routing encapsulation (GRE) tunnel interface. Instead, attach the crypto map set to all of the ingress and egress interfaces over which the GRE tunnel spans.

The crypto map must only be applied to the interface VLAN and not to the tunnel interface.

HSRP/GRE is supported.

Tunnel mode is the only GRE mode that is supported.

The following options are not supported: checksum enabled, sequence check enabled, tunnel key, IP security options, IP policy, service policy, IP PIM, traffic shaping, QoS preclassification, NAT, and ACLs. If any of these options are specified, the IPSec VPN SPA will not seize the GRE tunnel.

GRE tunneling of all non-IP packets is done by the route processor even if the tunnel is seized by the IPSec VPN SPA.

To configure a GRE tunnel, perform this task beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# interface tunnel number

Creates the tunnel interface if it does not exist and enters interface configuration mode.

number—Number of the tunnel interface to be configured.

Step 2 

Router(config-if)# ip address address

Sets the IP address of the tunnel interface.

addressIP address.

Step 3 

Router(config-if)# tunnel source {ip-address | type number}

Configures the tunnel source. The source is the router where traffic is received from the customer network.

ip-address—IP address to use as the source address for packets in the tunnel.

type number—Interface type and number; for example, VLAN1.

Step 4 

Router(config-if)# tunnel destination {hostname | ip-address}

Sets the IP address of the destination of the tunnel interface. The destination address is the router that transfers packets into the receiving customer network.

hostname—Name of the host destination.

ip-address—IP address of the host destination expressed in decimal in four-part, dotted notation.

Step 5 

Router(config-if)# exit

Exits interface configuration mode.

Verifying the GRE Tunneling Configuration

To verify that the IPSec VPN SPA has seized the GRE tunnel, enter the show crypto vlan command:

Router# show crypto vlan

Interface VLAN 101 on IPSec Service Module port 7/1/1 connected to AT4/0/0.101
    Tunnel101 is accelerated via IPSec SM in subslot 7/1
Router#

For complete configuration information for GRE tunneling, refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s17/12s_tos.htm

For GRE tunneling configuration examples, see the "GRE Tunneling in Crypto-Connect Mode Configuration Example" section.

Configuring GRE Tunneling in VRF Mode

To configure GRE tunneling in VRF mode, refer to the "Configuring VPNs in VRF Mode with Tunnel Protection" section.

Configuring the GRE Takeover Criteria

You can configure the takeover criteria for Generic Routing Encapsulation (GRE) processing by using the crypto engine gre supervisor or crypto engine gre vpnblade commands. These two commands allow you to specify whether the GRE processing should be done by the supervisor engine hardware or the route processor or the IPSec VPN SPA.


Note The GRE takeover criteria commands are supported only in Cisco IOS Release 12.2(18)SXE5 and later. In releases prior to Cisco IOS Release 12.2SXE1, the crypto-related GRE tunnels are always taken over by the VPN SPA. In Cisco IOS Release 12.2SXE1, the GRE tunnels are taken over by the VPN SPA only if the supervisor engine hardware cannot do the processing.


To configure a router to process GRE using the supervisor engine hardware or the route processor (RP), use the crypto engine gre supervisor command. When this command is specified, GRE processing by the supervisor engine hardware takes precedence over processing by the route processor (unless the tunnels are from duplicate sources); the RP only takes over GRE processing if the supervisor engine hardware cannot do the processing. If this command is configured, duplicate source GREs will be processed by the route processor.

To configure a router to process GRE using the IPSec VPN SPA, use the crypto engine gre vpnblade command. If the IPSec VPN SPA cannot take over the GRE processing, the GRE processing will be handled either by supervisor engine hardware (which has precedence) or the route processor.

Both of these commands can be configured globally or at an individual tunnel.

Individual tunnel configuration takes precedence over the global configuration. For example, when the crypto engine gre supervisor command is configured at the global configuration level, the command will apply to all tunnels except those tunnels that have been configured individually using either a crypto engine gre supervisor command or a crypto engine gre vpnblade command.

At any time, only one of the two commands (crypto engine gre supervisor or crypto engine gre vpnblade) can be configured globally or individually at a tunnel. If either command is already configured, configuring the second command will overwrite the first command, and only the configuration applied by the second command will be used.

GRE Takeover Configuration Guidelines and Restrictions

When configuring GRE takeover on the IPSec VPN SPA, follow these guidelines and restrictions:

For a GRE tunnel to be taken over by the IPSec VPN SPA, it must first satisfy the following criteria:

The GRE tunnel interface must be up.

The route to the tunnel destination must go through the IPSec VPN SPA.

The Address Resolution Protocol (ARP) entry for the next hop must exist.

The tunnel mode must be GRE.

The only supported options are tunnel ttl and tunnel tos. If any of the following options are configured, then the tunnel will not be taken over:

 tunnel key

 tunnel sequence-datagrams

 tunnel checksum

All other options configured are ignored.

If the GRE tunnels have the same source and destination addresses, then the IPSec VPN SPA will, at most, take over only one of them, and the determination of which specific tunnel is taken over is random.

The IPSec VPN SPA will not take over GRE processing if any of the following options is configured on the tunnel interface:

 DMVPN

 IP policy

 NAT

 Service policy

 Traffic shaping

 QoS

 ACL

In crypto-connect mode, the IPSec VPN SPA will not take over GRE processing when the interface VLAN has no crypto map attached. The crypto map must be applied to the interface VLAN and not to the tunnel interface.

If the IPSec VPN SPA cannot take over the GRE processing, the GRE processing will be handled either by the supervisor engine hardware (which has precedence) or the route processor.

When neither the crypto engine gre supervisor command nor the crypto engine gre vpnblade command is specified globally or individually for a tunnel, the IPSec VPN SPA will only attempt to take over GRE processing if the following conditions apply:

 The supervisor engine hardware does not take over GRE processing.

 Protocol Independent Multicast (PIM) is configured on the tunnel.

 The tunnels are from duplicate tunnel sources and more than one tunnel is up. (If only one tunnel is up, the supervisor engine hardware can still perform the GRE processing.)

When a new configuration file is copied to the running configuration, the new configuration will overwrite the old configuration for the crypto engine gre vpnblade and crypto engine gre supervisor commands. If the new configuration does not specify a GRE takeover criteria globally or for an individual tunnel, the existing old configuration will be used.

Configuring the GRE Takeover Criteria Globally

To configure the GRE takeover criteria globally (so that it affects all tunnels except those tunnels that have been configured individually using either a crypto engine gre supervisor command or a crypto engine gre vpnblade command), perform this task beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# crypto engine gre supervisor

or

Router(config)# crypto engine gre vpnblade

Configures a router to process GRE using the supervisor engine hardware or the route processor.

Configures a router to process GRE using the IPSec VPN SPA.

Configuring the GRE Takeover Criteria at an Individual Tunnel

To configure the GRE takeover criteria at an individual tunnel (so that it affects only a specific tunnel), perform this task beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# interface tunnel number

Creates the tunnel interface if it does not exist and enters interface configuration mode.

number—Number of the tunnel interface to be configured.

Step 2 

Router(config-if)# crypto engine gre supervisor

or

Router(config-if)# crypto engine gre vpnblade

Configures a router to process GRE using the supervisor engine hardware or the route processor.

or

Configures a router to process GRE using the IPSec VPN SPA.

For GRE takeover criteria configuration examples, see the "GRE Takeover Criteria Configuration Examples" section.

Configuring IP Multicast over a GRE Tunnel

IP multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple recipients. GRE is a tunneling protocol developed by Cisco and commonly used with IPSec that encapsulates a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP network.

In some network scenarios, you might want to configure your network to use GRE tunnels to send Protocol Independent Multicast (PIM) and multicast traffic between routers. Typically, this occurs when the multicast source and receiver are separated by an IP cloud that is not configured for IP multicast routing. In such network scenarios, configuring a tunnel across an IP cloud with PIM-enabled transports multicast packets toward the receiver. The configuration of IP multicast over a GRE tunnel using the IPSec VPN SPA involves three key steps:

Configuring single-SPA mode for multicast traffic

Configuring multicast globally

Configuring PIM at the tunnel interfaces

IP Multicast over a GRE Tunnel Configuration Guidelines and Restrictions

When configuring IP multicast over a GRE tunnel, follow these guidelines:

When the hw-module slot subslot only command is executed, it automatically resets the Cisco 7600 SSC-400 card and displays the following prompt on the console:

Module n will be reset? Confirm [n]:

The prompt will default to N (no). You must type Y (yes) to activate the reset action.

When in single-SPA mode, if you manually plug in a second SPA, or if you attempt to reset the SPA (by entering a no hw-module subslot shutdown command, for example), a message is displayed on the router console that refers you to the customer documentation.

If PIM is configured, and the GRE tunnel interface satisfies the rest of the tunnel takeover criteria, the GRE processing of the multicast packets will be taken over by the IPSec VPN SPA.

GRE processing of IP multicast packets will be taken over by the IPSec VPN SPA if the GRE tunnel interface satisfies the following tunnel takeover criteria:

The tunnel is up.

The are no other tunnels with the same source destination pair.

Tunnel protection has not been applied to the tunnel interface in crypto-connect mode.

Tunnel protection has been applied to the tunnel interface in VRF mode.

The tunnel is not an mGRE tunnel.

PIM is configured on the tunnel.

None of the following features are configured on the tunnel: tunnel key, tunnel sequence-datagrams, tunnel checksum, tunnel udlr address-resolution, tunnel udlr receive-only, tunnel udlr send-only, ip proxy-mobile tunnel reverse, IP policy, service policy, traffic shaping, QoS pre-classification, NAT, or ACLs. If any of these options are specified, the IPSec VPN SPA will not seize the GRE tunnel.

When a tunnel is configured for multicast traffic, the crypto engine gre supervisor command should not be applied to the tunnel.

Configuring Single-SPA Mode for IP Multicast Traffic

Before you configure IP multicast on the IPSec VPN SPA, you should change the mode of the Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot using the hw-module slot subslot only command. If this command is not used, the total amount of buffers available is divided between the two subslots on the Cisco 7600 SSC-400 card.

To allocate full buffers to the specified subslot, use the hw-module slot subslot only command as follows:

Router(config)# hw-module slot slot subslot subslot only

slot specifies the slot where the Cisco 7600 SSC-400 card is located.

subslot specifies the subslot where the IPSec VPN SPA is located.

Configuring IP Multicast Globally

You must enable IP multicast routing globally before you can enable PIM on the router interfaces.

To enable IP multicast routing globally, use the ip multicast-routing command.

Configuring PIM at the Tunnel Interfaces

You must enable PIM on all participating router interfaces before IP multicast will function.

To enable PIM, use the ip pim command as follows:

Router(config-if)# ip pim {dense-mode | sparse-mode | sparse-dense-mode}

dense-mode enables dense mode of operation.

sparse-mode enables sparse mode of operation.

sparse-dense-mode enables the interface in either sparse mode or dense mode of operation, depending on which mode the multicast group operates in.

For IP multicast over GRE tunnels configuration examples, see the "IP Multicast over a GRE Tunnel Configuration Example" section.

Verifying the IP Multicast over a GRE Tunnel Configuration

To verify the IP multicast over a GRE tunnel configuration, enter the show crypto vlan and show ip mroute commands.

To verify that the tunnel has been taken over by the IPSec VPN SPA, enter the show crypto vlan command:

Router(config)# show crypto vlan
 
Interface VLAN 100 on IPSec Service Module port Gi7/0/1 connected to Po1 with crypto map 
set map_t3 
Tunnel15 is accelerated via IPSec SM in subslot 7/0

To verify that the IP multicast traffic is hardware-switched, enter the show ip mroute command and look for the H flag:

Router# show ip mroute 230.1.1.5
 
IP Multicast Routing Table 
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, 
L - Local, P - Pruned, R - RP-bit set, F - Register flag, 
T - SPT-bit set, J - Join SPT, M - MSDP created entry, 
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, 
U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel 
Y - Joined MDT-data group, y - Sending to MDT-data group 
Outgoing interface flags: H - Hardware switched, A - Assert winner 
Timers: Uptime/Expires 
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 230.1.1.5), 01:23:45/00:03:16, RP 15.15.1.1, flags: SJC 
Incoming interface: Null, RPF nbr 0.0.0.0 
Outgoing interface list: 
Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16

(120.1.0.3, 230.1.1.5), 01:23:46/00:03:25, flags: T
Incoming interface: GigabitEthernet8/1, RPF nbr 0.0.0.0, RPF-MFD
Outgoing interface list:
Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16, H

For IP multicast over GRE tunnels configuration examples, see the "IP Multicast over a GRE Tunnel Configuration Example" section.

Configuring an IPSec Virtual Tunnel Interface

The IPSec Virtual Tunnel Interface (VTI) provides a routable interface type for terminating IPSec tunnels that greatly simplifies the configuration process when you need to provide protection for remote access, and provides a simpler alternative to using GRE tunnels and crypto maps with IPSec. In addition, the IPSec VTI simplifies network management and load balancing.


Note IPSec VTI is only supported as of Cisco IOS Release 12.2(33)SRA, and is only supported in VRF mode.


Note the following details about IPSec VTI routing and traffic encryption:

You can enable routing protocols on the tunnel interface so that routing information can be propagated over the virtual tunnel. The router can establish neighbor relationships over the virtual tunnel interface. Interoperability with standard-based IPSec installations is possible through the use of the IP ANY ANY proxy. The static IPSec interface will negotiate and accept IP ANY ANY proxies.

The IPSec VTI supports native IPSec tunneling and exhibits most of the properties of a physical interface.

In the IPSec VTI, encryption occurs in the tunnel. Traffic is encrypted when it is forwarded to the tunnel interface. Traffic forwarding is handled by the IP routing table, and dynamic or static IP routing can be used to route the traffic to the virtual tunnel interface. Using IP routing to forward the traffic to encryption simplifies the IPSec VPN configuration because the use of ACLs with a crypto map in native IPSec configurations is not required. When IPSec VTIs are used, you can separate applications of NAT, ACLs, and QoS, and apply them to clear text or encrypted text, or both. When crypto maps are used, there is no easy way to specify forced encryption features.

IPSec Virtual Tunnel Interface Configuration Guidelines and Restrictions

When configuring IPSec VTI, follow these guidelines and restrictions:

Only static VTI is currently supported.

IPSec stateful failover is not supported with IPSec VTIs.

Only strict IP ANY ANY proxy is supported.

The IPSec transform set must be configured only in tunnel mode.

The IKE security association (SA) is bound to the virtual tunnel interface. Because it is bound to the virtual tunnel interface, the same IKE SA cannot be used for a crypto map.

The IPSec virtual tunnel interface is limited to IP unicast, as opposed to GRE tunnels, which have a wider application for IPSec implementation.

Multicast over VTI is not supported.

If the packets are from MPLS, VTI cannot be the outgoing interface.

Configuring an IPSec Static Tunnel

To configure a static IPSec virtual tunnel interface, perform this task beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# crypto ipsec profile profile-name

Defines an IPSec profile and enters IPSec profile configuration mode. The IPSec profile defines the IP Security (IPSec) parameters that are to be used for IPSec encryption between two IPSec routers.

profile-name—Name of the user profile.

Step 2 

Router(config-ipsec-profile)# set transform-set transform-set-name [transform-set-name2 ...transform-set-name6]

Specifies which transform sets can be used with the crypto map entry.

transform-set-name—Name of the transform set.

Step 3 

Router(config)# interface type slot/[subslot]/port

Configures an interface type.

type—Type of interface being configured.

slot/[subslot]/ port—Number of the slot, subslot (optional), and port to be configured.

Step 4 

Router(config-if)# ip vrf forwarding vrf-name

(Optional) Associates a VRF with an interface or subinterface.

vrf-nameName assigned to the VRF.

Step 5 

Router(config-if)# ip address address mask

Sets a primary or secondary IP address for an interface.

addressIP address.

maskSubnet mask.

Step 6 

Router(config-if)# tunnel mode ipsec ipv4

Defines the mode for the tunnel as IPSec and the transport as IPv4.

Step 7 

Router(config-if)# tunnel source ip-address

Sets the source address of a tunnel interface.

ip-address—IP address to use as the source address for packets in the tunnel.

Step 8 

Router(config-if)# tunnel destination ip-address

Sets the destination address of a tunnel interface.

ip-address—IP address to use as the destination address for packets in the tunnel.

Step 9 

Router(config-if)# tunnel vrf vrf-name

(Optional) Associates a VPN routing and forwarding instance (VRF) with a specific tunnel destination. This step is only required when configuring a front door VRF (FVRF).

vrf-name—Name assigned to the VRF.

Step 10 

Router(config-if)# crypto engine slot slot inside

Assigns the specified crypto engine to the interface.

slot—Enter the slot where the IPSec VPN SPA is located.

Step 11 

Router(config-if)# tunnel protection ipsec profile name [shared]

Associates a tunnel interface with an IPSec profile.

name—Name of the IPSec profile; this value must match the name specified in the crypto ipsec profile command in Step 1.

shared—(Optional) Allows the tunnel protection IPSec Security Association Database (SADB) to share the same dynamic crypto map instead of creating a unique crypto map per tunnel interface.

Verifying the IPSec Virtual Tunnel Interface Configuration

To confirm that your IPSec virtual tunnel interface configuration is working properly, enter the show interfaces tunnel, show crypto session, and show ip route commands.

The show interfaces tunnel command displays tunnel interface information, the show crypto session command displays status information for active crypto sessions, and the show ip route command displays the current state of the routing table.

Notice that in this display the Tunnel 0 is up and the line protocol is up. If the line protocol is down, the session is not active.

Router1# show interfaces tunnel 0

Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.0.51.203/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 103/255, rxload 110/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.0.149.203, destination 10.0.149.217
Tunnel protocol/transport IPSEC/IP, key disabled, sequencing disabled
Tunnel TTL 255
Checksumming of packets disabled, fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "P1")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 13000 bits/sec, 34 packets/sec
30 second output rate 36000 bits/sec, 34 packets/sec
191320 packets input, 30129126 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
59968 packets output, 15369696 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out

Router1# show crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.149.217 port 500
IKE SA: local 10.0.149.203/500 remote 10.0.149.217/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 4, origin: crypto map

Router1# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.0.35.0/24 is directly connected, Ethernet3/3
S 10.0.36.0/24 is directly connected, Tunnel0
C 10.0.51.0/24 is directly connected, Tunnel0
C 10.0.149.0/24 is directly connected, Ethernet3/0

For more complete information about IPSec Virtual Tunnel Interface, refer to the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html

For IPSec Virtual Tunnel Interface configuration examples, see the "IPSec Virtual Tunnel Interfaces Configuration Examples" section.

Configuring VPNs in Crypto Connect Alternative Mode

Crypto connect alternative (CCA) mode allows you to configure IPSec VTI without having to configure VRFs. Although CCA requires that VRF mode be configured globally using the crypto engine mode vrf command, tunnels are terminated in the global context rather than in VRFs. CCA is introduced in Cisco IOS Release 12.2(33)SRA.

The configuration steps for CCA are similar to the steps for IPSec VTI shown in the "Configuring an IPSec Static Tunnel" section with the exception that the ip vrf forwarding vrf-name command and the tunnel vrf vrf-name command are not required.

For an example of IPSec Virtual Tunnel Interface configuration using CCA, see the "IPSec Virtual Tunnel Interfaces Configuration Examples" section.

Configuration Examples

This section provides examples of the following configurations:

Access Port in Crypto-Connect Mode Configuration Example

Routed Port in Crypto-Connect Mode Configuration Example

Trunk Port in Crypto-Connect Mode Configuration Example

IPSec VPN SPA Connections to WAN Interfaces Configuration Examples

GRE Tunneling in Crypto-Connect Mode Configuration Example

GRE Takeover Criteria Configuration Examples

IP Multicast over a GRE Tunnel Configuration Example

VRF Mode Configuration Examples

IPSec Virtual Tunnel Interfaces Configuration Examples

Access Port in Crypto-Connect Mode Configuration Example

This section provides an example of the access port configuration with router 1 shown in Figure 29-2:

Router 1 (Access Port)

!
hostname router-1
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.1
!
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
  !switch inside port
  ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
 !switch outside port
 switchport
 switchport access vlan 502
 switchport mode access
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk

interface Vlan2
 !interface vlan
 ip address 11.0.0.2 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0
!
interface Vlan502
 !port vlan
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 12.0.0.0 255.0.0.0 11.0.0.1
!
access-list 101 permit ip host 13.0.0.2 host 12.0.0.2
!
end

Router 2 (Access Port)

!
hostname router-2
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.2
!
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
  !switch inside port
  ip address 12.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
 !switch outside port
 switchport
 switchport access vlan 502
 switchport mode access
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 !interface vlan
 ip address 11.0.0.1 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0
!
interface Vlan502
 !port vlan
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 13.0.0.0 255.0.0.0 11.0.0.2
!
access-list 101 permit ip host 12.0.0.2 host 13.0.0.2
!
end

Routed Port in Crypto-Connect Mode Configuration Example

This section provides an example of the routed port configuration with router 1 shown in Figure 29-3:

Router 1 (Routed Port)

!
hostname router-1
!
vlan 2
! 
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 crypto isakmp key 12345 address 11.0.0.2
!
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
 !switch inside port
 ip address 12.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
 !switch outside port
 no ip address
 crypto connect vlan 2
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 !interface vlan
 ip address 11.0.0.1 255.255.255.0
 no mop enabled
 crypto map testtag
 crypto engine slot 4/0
!
ip classless
ip route 13.0.0.0 255.0.0.0 11.0.0.2
!
access-list 101 permit ip host 12.0.0.2 host 13.0.0.2
!
end

Router 2 (Routed Port)

!
hostname router-2
!
vlan 2 
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.1
!
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
 !switch inside port
 ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
 !switch outside port
 no ip address
 crypto connect vlan 2
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 !interface vlan
 ip address 11.0.0.2 255.255.255.0
 no mop enabled
 crypto map testtag
 crypto engine slot 4/0
!
ip classless
ip route 12.0.0.0 255.0.0.0 11.0.0.1
!
access-list 101 permit ip host 13.0.0.2 host 12.0.0.2
!
end

Trunk Port in Crypto-Connect Mode Configuration Example

This section provides an example of the trunk port configuration with router 1 shown in Figure 29-4:

Router 1 (Trunk Port)

!
hostname router-1
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.2
!
!
crypto ipsec transform-set proposal1  esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
  !switch inside port
  ip address 12.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
 !switch outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 502
 switchport mode trunk
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 !interface vlan
 ip address 11.0.0.1 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0
!
interface Vlan 502
 !port vlan
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 13.0.0.0 255.0.0.0 11.0.0.2
!
access-list 101 permit ip host 12.0.0.2 host 13.0.0.2
!
end

Router 2 (Trunk Port)

!
hostname router-2
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.1
!
!
crypto ipsec transform-set proposal1  esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
  !switch inside port
  ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
 !switch outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 502
 switchport mode trunk
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk

interface Vlan2
 !interface vlan
 ip address 11.0.0.2 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0
! 
interface Vlan502
 !port vlan
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 12.0.0.0 255.0.0.0 11.0.0.1
!
access-list 101 permit ip host 13.0.0.2 host 12.0.0.2
!
end

IPSec VPN SPA Connections to WAN Interfaces Configuration Examples

The following are configuration examples of IPSec VPN SPA connections to WAN interfaces:

IPSec VPN SPA Connection to an ATM Port Adapter Configuration Example

IPSec VPN SPA Connection to a POS Port Adapter Configuration Example

IPSec VPN SPA Connection to a Serial Port Adapter Configuration Example

IPSec VPN SPA Connection to an ATM Port Adapter Configuration Example

The following example shows the configuration of an IPSec VPN SPA connection to an ATM port adapter:

!
hostname router-1
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set proposal esp-3des esp-sha-hmac 
!
crypto map testtag_1 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal 
 match address acl_1
!
interface GigabitEthernet1/1
 ip address 12.0.0.2 255.255.255.0
!
interface ATM2/0/0
 no ip address
 atm clock INTERNAL
 no atm enable-ilmi-trap
 no atm ilmi-keepalive
!
interface ATM2/0/0.1 point-to-point
 atm pvc 20 0 20 aal5snap
 no atm enable-ilmi-trap
 crypto connect vlan 2
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 11.0.0.1 255.255.255.0
 crypto map testtag_1
 crypto engine slot 4/0
!
ip classless
ip route 13.0.0.1 255.255.255.255 11.0.0.2
!
ip access-list extended acl_1
 permit ip host 12.0.0.1 host 13.0.0.1
!

IPSec VPN SPA Connection to a POS Port Adapter Configuration Example

The following example shows the configuration of an IPSec VPN SPA connection to a POS port adapter:

!

hostname router-1
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set proposal esp-3des esp-sha-hmac 
!
crypto map testtag_1 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal 
 match address acl_1
!
interface GigabitEthernet1/1
 !switch inside port
 ip address 12.0.0.2 255.255.255.0
!
interface POS2/0/0
 no ip address
 encapsulation frame-relay
 clock source internal
!
interface POS2/0/0.1 point-to-point
 frame-relay interface-dlci 16   
 crypto connect vlan 2
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 11.0.0.1 255.255.255.0
 crypto map testtag_1
 crypto engine slot 4/0
!
ip classless
ip route 13.0.0.1 255.255.255.255 11.0.0.2
!
ip access-list extended acl_1
 permit ip host 12.0.0.1 host 13.0.0.1

IPSec VPN SPA Connection to a Serial Port Adapter Configuration Example

The following example shows the configuration of an IPSec VPN SPA connection to a serial port adapter:

!
hostname router-1
!
controller T3 2/1/0
 t1 1 channel-group 0 timeslots 1
 t1 2 channel-group 0 timeslots 1
 t1 3 channel-group 0 timeslots 1
 t1 4 channel-group 0 timeslots 1
 t1 5 channel-group 0 timeslots 1
 t1 6 channel-group 0 timeslots 1
 t1 7 channel-group 0 timeslots 1
 t1 8 channel-group 0 timeslots 1
 t1 9 channel-group 0 timeslots 1
 t1 10 channel-group 0 timeslots 1
 t1 11 channel-group 0 timeslots 1
 t1 12 channel-group 0 timeslots 1
 t1 13 channel-group 0 timeslots 1
 t1 14 channel-group 0 timeslots 1
 t1 15 channel-group 0 timeslots 1
 t1 16 channel-group 0 timeslots 1
 t1 17 channel-group 0 timeslots 1
 t1 18 channel-group 0 timeslots 1
 t1 19 channel-group 0 timeslots 1
 t1 20 channel-group 0 timeslots 1
 t1 21 channel-group 0 timeslots 1
 t1 22 channel-group 0 timeslots 1
 t1 23 channel-group 0 timeslots 1
 t1 24 channel-group 0 timeslots 1
 t1 25 channel-group 0 timeslots 1
 t1 26 channel-group 0 timeslots 1
 t1 27 channel-group 0 timeslots 1
 t1 28 channel-group 0 timeslots 1
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set proposal esp-3des esp-sha-hmac 
!
crypto map testtag_1 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal 
 match address acl_1
!
interface GigabitEthernet1/1
 !switch inside port
 ip address 12.0.0.2 255.255.255.0
!
interface Serial2/1/0/1:0
 ip unnumbered Null0
 encapsulation ppp
 no fair-queue
 no cdp enable
 crypto connect vlan 2
!
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 11.0.0.1 255.255.255.0
 crypto map testtag_1
 crypto engine slot 4/0
!
ip classless
ip route 13.0.0.1 255.255.255.255 11.0.0.2
!
ip access-list extended acl_1
 permit ip host 12.0.0.1 host 13.0.0.1

GRE Tunneling in Crypto-Connect Mode Configuration Example

This section provides an example of GRE tunneling configurations:

Router 1 (GRE Tunneling)

The following example shows the configuration of GRE tunneling for router 1:

!
hostname router-1
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.2
!
!
crypto ipsec transform-set proposal1 ah-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal1 
 match address 101
!
!
!
!
interface Tunnel1
 ip address 1.0.0.1 255.255.255.0
 tunnel source Vlan2
 tunnel destination 11.0.0.2
!
interface GigabitEthernet1/1
 !switch inside port
 ip address 12.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
 !switch outside port
 switchport
 switchport access vlan 502
 switchport mode access
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 11.0.0.1 255.255.255.0
 no mop enabled
 crypto map testtag
 crypto engine slot 4/0
!
interface Vlan502
 no ip address
 crypto connect vlan 2
!
!
ip classless
ip route 13.0.0.0 255.0.0.0 Tunnel1
!
!
access-list 101 permit gre host 11.0.0.1 host 11.0.0.2
!

Router 2 (GRE Tunneling)

!
hostname router-2
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.1
!
!
crypto ipsec transform-set proposal1 ah-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set transform-set proposal1 
 match address 101
!
!
!
!
interface Tunnel1
 ip address 1.0.0.2 255.255.255.0
 tunnel source Vlan2
 tunnel destination 11.0.0.1
!
interface GigabitEthernet1/1
 !switch inside port
 ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
 !switch outside port
 switchport
 switchport access vlan 502
 switchport mode access
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 11.0.0.2 255.255.255.0
 no mop enabled
 crypto map testtag
 crypto engine slot 4/0
!
interface Vlan502
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 12.0.0.0 255.0.0.0 Tunnel1
!
access-list 101 permit gre host 11.0.0.2 host 11.0.0.1
!

GRE Takeover Criteria Configuration Examples

The following examples show how to configure the GRE takeover criteria:

GRE Takeover Criteria Global Configuration Example

GRE Takeover Criteria Tunnel Configuration Example

GRE Takeover Verification Example

GRE Takeover Criteria Global Configuration Example

The following example shows that the GRE takeover criteria has been set globally and the supervisor engine hardware or RP always does the GRE processing:

Router(config)# crypto engine gre supervisor

GRE Takeover Criteria Tunnel Configuration Example

The following example shows that the GRE takeover criteria has been set individually for tunnel interface 3 and the IPSec VPN SPA always does the GRE processing for this tunnel:

Router(config)# interface tunnel 3
Router(config-if)# crypto engine gre vpnblade

GRE Takeover Verification Example

The following example shows how to verify that the tunnel has been taken over by the IPSec VPN SPA:

Router(config)# show crypto vlan 100

Interface VLAN 100 on IPSec Service Module port GigabitEthernet4/0/1 connected to POS8/0/0 
with crypto map set MAP_TO_R2
    Tunnel1 is accelerated via IPSec SM in subslot 4/0

The following example shows that the tunnel has not been taken over by the IPSec VPN SPA:

Router(config)# show crypto vlan 100

Interface VLAN 100 on IPSec Service Module port GigabitEthernet4/0/1 connected to POS8/0/0 
with crypto map set MAP_TO_R2

IP Multicast over a GRE Tunnel Configuration Example

The following example shows how to configure IP multicast over GRE:


hostname router-1
!
vlan 2-1001 
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set proposal esp-3des 
!
crypto ipsec profile vpnprof
 set transform-set proposal 
!
!
crypto map cm_spoke1_1 10 ipsec-isakmp 
 set peer 11.1.1.1
 set transform-set proposal 
 match address spoke1_acl_1
!
!
interface Tunnel1
 ip address 20.1.1.1 255.255.255.0
 ip mtu 9216
 ip pim sparse-mode
 ip hold-time eigrp 1 3600
 tunnel source 1.0.1.1
 tunnel destination 11.1.1.1
 crypto engine slot 4/0
!
interface GigabitEthernet1/1
 !switch inside port
 mtu 9216
 ip address 50.1.1.1 255.0.0.0
 ip pim sparse-mode
!
interface GigabitEthernet1/2
 !switch outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,252,1002-1005
 switchport mode trunk
 mtu 9216
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,252,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 mtu 9216
 ip address 1.0.1.1 255.255.255.0
 crypto map cm_spoke1_1
 crypto engine slot 4/0
!
interface Vlan252
 mtu 9216
 no ip address
 crypto connect vlan 2
!
router eigrp 1
 network 20.1.1.0 0.0.0.255
 network 50.1.1.0 0.0.0.255
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 11.1.1.0 255.255.255.0 1.0.1.2
!
ip pim bidir-enable
ip pim rp-address 50.1.1.1
!
ip access-list extended spoke1_acl_1
 permit gre host 1.0.1.1 host 11.1.1.1
!

VRF Mode Configuration Examples

The following sections provide examples of VRF mode configurations:

VRF Mode Configuration Example 1 (Basic Configuration)

VRF Mode Configuration Example 2 (Remote Access Using Easy VPN)

VRF Mode Configuration Example 3 (PE)

VRF Mode Configuration Example 4 (CE)

VRF Mode Configuration Example 5 (Tunnel Protection)

VRF Mode Configuration Example 6 (Chassis-to-Chassis Stateless Failover)


Note When the ip vrf forwarding command is applied to a VLAN, any previously existing IP address assigned to that VLAN is removed. To assign an IP address to the VLAN, enter the ip address command after the ip vrf forwarding command, not preceding it.


VRF Mode Configuration Example 1 (Basic Configuration)

The following example shows a basic IPSec VPN SPA configuration using VRF mode:

Router 1 Configuration


hostname router-1
!
ip vrf ivrf
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
crypto engine mode vrf
!
vlan 2,3 
!
crypto keyring key0 
  pre-shared-key address 11.0.0.2 key 12345
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp profile prof1
   vrf ivrf
   keyring key0
   match identity address 11.0.0.2 255.255.255.255
!
!
crypto ipsec transform-set proposal1  esp-3des esp-sha-hmac 
!
crypto map testtag local-address Vlan3
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal1 
 set isakmp-profile prof1
 match address 101
!
interface GigabitEthernet1/1
 !switch inside port
 ip vrf forwarding ivrf
 ip address 12.0.0.1 255.255.255.0
!
!
interface GigabitEthernet1/2
 !switch outside port
 switchport
 switchport access vlan 3
 switchport mode access
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip vrf forwarding ivrf
 ip address 13.0.0.252 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0 inside
!
interface Vlan3
 ip address 11.0.0.1 255.255.255.0
 crypto engine slot 4/0 outside
!
access-list 101 permit ip host 12.0.0.2 host 13.0.0.2

Router 2 Configuration


hostname router-2
!
ip vrf ivrf
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
crypto engine mode vrf
!
vlan 2,3 
!
crypto keyring key0 
  pre-shared-key address 11.0.0.1 key 12345
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp profile prof1
   vrf ivrf
   keyring key0
   match identity address 11.0.0.1 255.255.255.255
!
!
crypto ipsec transform-set proposal1  esp-3des esp-sha-hmac 
!
crypto map testtag local-address Vlan3
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set transform-set proposal1 
 set isakmp-profile prof1
 match address 101
!
interface GigabitEthernet1/1
 !switch inside port
 ip vrf forwarding ivrf
 ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
 !switch!switch outside port
 switchport
 switchport access vlan 3
 switchport mode access
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip vrf forwarding ivrf
 ip address 12.0.0.252 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0 inside
!
interface Vlan3
 ip address 11.0.0.2 255.255.255.0
 crypto engine slot 4/0 outside
!
access-list 101 permit ip host 13.0.0.2 host 12.0.0.2

VRF Mode Configuration Example 2 (Remote Access Using Easy VPN)

The following examples show VRF mode configurations for remote access using Easy VPN, first using RADIUS authentication, then using local authentication:

Using RADIUS Authentication

aaa group server radius acs-vrf1
 server-private 192.1.1.251 auth-port 1812 acct-port 1813 key allegro
 ip vrf forwarding vrf1
!
aaa authentication login test_list group acs-vrf1
aaa authorization network test_list group acs-vrf1 
aaa accounting network test_list start-stop group acs-vrf1
!
ip vrf ivrf
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration group test
 key world
 pool pool1
!
crypto isakmp profile test_pro
   vrf ivrf
   match identity group test
   client authentication list test_list
   isakmp authorization list test_list
   client configuration address respond
   accounting test_list
crypto ipsec transform-set t3 esp-3des esp-sha-hmac 
!
crypto dynamic-map remote 1
 set transform-set t3 
 set isakmp-profile test_pro
 reverse-route
!
!
crypto map map-ra local-address GigabitEthernet2/1
crypto map map-ra 10 ipsec-isakmp dynamic remote 
!
interface GigabitEthernet2/1
  mtu 9216
 ip address 120.0.0.254 255.255.255.0
 ip flow ingress
 logging event link-status
 mls qos trust ip-precedence
 crypto engine slot 1/0 outside
!
interface GigabitEthernet1/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,1002-1005
 switchport mode trunk
 mtu 9216
 mls qos trust ip-precedence
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 mls qos trust ip-precedence
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!

interface Vlan100
 ip vrf forwarding vrf1
 ip address 120.0.0.100 255.255.255.0
 no mop enabled
 crypto map map-ra
 crypto engine slot 1/0 inside
ip local pool pool1 100.0.1.1 100.0.5.250

Using Local Authentication


username t1 password 0 cisco
aaa new-model
!
aaa authentication login test_list local
aaa authorization network test_list local 
!
aaa session-id common
!
ip vrf ivrf
 rd 1:2
 route-target export 1:2
 route-target import 1:2


!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group test
 key world
 pool pool1
crypto isakmp profile test_pro
   vrf ivrf
   match identity group test
   client authentication list test_list
   isakmp authorization list test_list
   client configuration address respond
   accounting test_list
crypto ipsec transform-set t3 esp-3des esp-sha-hmac 
!
crypto dynamic-map remote 10
 set transform-set t3 
 set isakmp-profile test_pro
 reverse-route

!
!
crypto map map-ra local-address GigabitEthernet2/1
crypto map map-ra 11 ipsec-isakmp dynamic remote 
!
!

!
interface GigabitEthernet2/1
  mtu 9216
 ip address 120.0.0.254 255.255.255.0
 ip flow ingress
 logging event link-status
 mls qos trust ip-precedence
 crypto engine slot 1/0 outside
!
!
interface GigabitEthernet1/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,1002-1005
 switchport mode trunk
 mtu 9216
 mls qos trust ip-precedence
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 mls qos trust ip-precedence
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan100
 ip vrf forwarding ivrf
 ip address 120.0.0.100 255.255.255.0
 ip flow ingress
 crypto map map-ra
 crypto engine slot 1/0 inside
!
!
ip local pool pool1 100.0.1.1 100.0.5.250

VRF Mode Configuration Example 3 (PE)

The following example shows a VRF mode configuration for a PE:

!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service counters max age 10
!
hostname router-Alice
!
logging snmp-authfail
enable password cisco
!
no aaa new-model
clock timezone pst -7
ip subnet-zero
!
!
no ip domain-lookup
!
ip vrf blue
 rd 300:10
 route-target export 300:10
 route-target import 300:10
!
ip vrf red
 rd 100:10
 route-target export 200:10
 route-target import 200:10
!
ip multicast-routing 
ip multicast-routing vrf red 
mpls label protocol ldp
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
mls cef error action freeze
!
!
!
!
!
!
!         
! 
crypto keyring test 
  pre-shared-key address 10.1.1.2 key cisco
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp key cisco address 192.168.32.2
crypto isakmp key cisco address 11.1.1.2
crypto isakmp key cisco address 192.168.31.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set test esp-3des esp-md5-hmac 
crypto ipsec transform-set repro esp-3des esp-sha-hmac 
!
crypto ipsec profile red
 set transform-set test 
!
crypto ipsec profile test
 set transform-set test 
!
!         
crypto map repro 10 ipsec-isakmp 
 set peer 192.168.32.2
 set transform-set repro 
 match address repro
!
crypto engine mode vrf
!
power redundancy-mode combined
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
redundancy
 mode sso
 main-cpu
  auto-sync running-config
  auto-sync standard
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.255
!interface GigabitEthernet2/
ip address 192.168.31.155.255.255.0
 crypto engine slot 4/0

interface GigabitEthernet2/2
 no ip address
 shutdown
!
.
.
.
!
interface GigabitEthernet2/16
 no ip address
 shutdown
!
interface GigabitEthernet3/1
 no ip address
 shutdown
!
interface GigabitEthernet3/2
 no ip address
 shutdown
!
interface GigabitEthernet3/3
 no ip address
 shutdown
!
interface GigabitEthernet3/4
 no ip address
 shutdown
!
interface POS3/1
 ip address 192.168.32.1 255.255.255.0
 mls qos trust dscp
 clock source internal
 crypto engine slot 4/0
!
interface POS3/2
 no ip address
 shutdown
 mls qos trust dscp
!
interface POS3/3
 no ip address
 shutdown
 mls qos trust dscp
!
interface POS3/4
 no ip address
 shutdown
 mls qos trust dscp
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet5/1
 no ip address
 shutdown
!
interface GigabitEthernet5/2
 no ip address
 shutdown
!
interface GigabitEthernet7/1
 ip address 17.8.15.1 255.255.0.0
!
interface GigabitEthernet7/2
 no ip address
 shutdown
!
interface GigabitEthernet7/3
 no ip address
 shutdown 
.
.
.
!
interface GigabitEthernet7/9
 no ip address
 shutdown
!
interface GigabitEthernet7/10
 ip address 10.1.1.1 255.255.255.0
 crypto engine slot 4/0
!
interface GigabitEthernet7/11
 ip address 11.1.1.1 255.255.255.0
 crypto engine slot 4/0
!
interface GigabitEthernet7/12
 no ip address
 shutdown
.
.
.
!
interface GigabitEthernet7/19
 no ip address
 shutdown
!
interface GigabitEthernet7/20
 ip address 192.168.30.1 255.255.255.0
 mpls label protocol ldp
 tag-switching ip
!
interface GigabitEthernet7/21
 no ip address
 shutdown
.
.
.
!
interface GigabitEthernet7/41
 ip vrf forwarding red
 ip address 192.168.41.1 255.255.255.0
 ip pim sparse-dense-mode
!
interface GigabitEthernet7/42
 no ip address
.
.
.
!
interface GigabitEthernet7/48
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!         
interface Vlan32
 no ip address
 no mop enabled
 crypto map repro
!
interface Vlan100
 no ip address
 no mop enabled
!
interface Vlan110
 no ip address
 no mop enabled
!
router ospf 1
 log-adjacency-changes
 passive-interface GigabitEthernet7/10
 network 10.0.0.0 0.255.255.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
 network 192.168.30.0 0.0.0.255 area 0
!
router ospf 10 vrf red
 log-adjacency-changes
 redistribute bgp 1 subnets
 redistribute rip subnets
 network 10.2.1.0 0.0.0.255 area 0
!
router rip
 version 2
 !
 address-family ipv4 vrf red
 redistribute ospf 10 metric 10
 redistribute bgp 1 metric 10
 network 31.0.0.0
 network 32.0.0.0
 network 192.168.41.0
 no auto-summary
 exit-address-family
!
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor 192.168.3.1 remote-as 1
 neighbor 192.168.3.1 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
 neighbor 192.168.3.1 activate
 neighbor 192.168.3.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf red
 redistribute ospf 10
 redistribute rip
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf blue
 neighbor 11.2.1.2 remote-as 65001
 neighbor 11.2.1.2 activate
 no auto-summary
 no synchronization
 network 11.2.1.0 mask 255.255.255.0
 exit-address-family
!
ip classless
ip route 0.0.0.0 0.0.0.0 17.8.0.1
ip route 192.168.9.0 255.255.255.0 Tunnel32
ip route 192.168.43.0 255.255.255.0 Tunnel32
no ip http server
!
!
!
ip access-list extended repro
 permit gre host 192.168.32.1 host 192.168.32.2
ip access-list extended to2651
ip access-list extended to3745
ip access-list extended to7609
!
access-list 199 permit ip host 10.1.1.2 host 192.168.6.1
!
!
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
!         
line con 0
 exec-timeout 0 0
line vty 0 4
 login
!
!
end

VRF Mode Configuration Example 4 (CE)

The following example shows a VRF mode configuration for a CE:

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 10
!
hostname router-Bobby
!
enable password cisco
!
no aaa new-model
clock timezone pst -7
ip subnet-zero
!
!
!
ip multicast-routing 
!! 
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp key cisco address 192.168.32.1
crypto isakmp key cisco address 192.168.31.1
!
!
crypto ipsec transform-set repro esp-3des esp-md5-hmac 
crypto ipsec transform-set test esp-3des esp-md5-hmac 
!
crypto ipsec profile test
 set transform-set test 
!
!
crypto map repro 10 ipsec-isakmp 
 set peer 192.168.32.1
 set transform-set repro 
 match address repro
!
crypto map test 10 ipsec-isakmp 
 set peer 192.168.31.1
 set transform-set test 
 match address tope
!
spanning-tree mode pvst
spanning-tree extend system-id
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
redundancy
 mode sso
 main-cpu
  auto-sync running-config
!
vlan internal allocation policy ascending
!
!
interface Loopback0
 ip address 192.168.9.1 255.255.255.0
!
!
interface GigabitEthernet1/1
 !switch inside port
 no ip address
 shutdown
!
interface GigabitEthernet1/2
 !switch outside port
 no ip address
 shutdown
!
interface GigabitEthernet2/1
 no ip address
 crypto connect vlan 31
!
interface GigabitEthernet2/2
 no ip address
 shutdown
.
.
.
!
interface GigabitEthernet2/16
 no ip address
 shutdown
!
interface GigabitEthernet3/1
 no ip address
 shutdown
 flowcontrol receive on
 flowcontrol send off
!
interface GigabitEthernet3/2
 no ip address
 shutdown
 flowcontrol receive on
 flowcontrol send off
!
interface GigabitEthernet3/3
 no ip address
 shutdown
!
interface GigabitEthernet3/4
 no ip address
 shutdown
!
interface POS3/1
 no ip address
 mls qos trust dscp
 crypto connect vlan 32
!
interface POS3/2
 no ip address
 shutdown
 mls qos trust dscp
!
interface POS3/3
 no ip address
 shutdown
 mls qos trust dscp
!
interface POS3/4
 no ip address
 shutdown
 mls qos trust dscp
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,31,32,1002-1005
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet7/1
 ip address 17.8.15.9 255.255.0.0
!
interface GigabitEthernet7/2
 no ip address
 shutdown
.
.
.
!
interface GigabitEthernet7/42
 no ip address
 shutdown
!
interface GigabitEthernet7/43
 ip address 192.168.43.1 255.255.255.0
 ip pim sparse-dense-mode
!
interface GigabitEthernet7/44
 no ip address
 shutdown
!
interface GigabitEthernet7/45
 no ip address
 shutdown
!
interface GigabitEthernet7/46
 no ip address
 shutdown
!
interface GigabitEthernet7/47
 no ip address
 shutdown
!
interface GigabitEthernet7/48
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan31
 ip address 192.168.31.2 255.255.255.0
 no mop enabled
 crypto map test
 crypto engine slot 4/0
!
interface Vlan32
 ip address 192.168.32.2 255.255.255.0
 no mop enabled
 crypto map repro
 crypto engine slot 4/0
!
router rip
 version 2
 network 31.0.0.0
 network 32.0.0.0
 network 192.168.9.0
 network 192.168.43.0
 distribute-list 1 out
 no auto-summary
!
ip classless
ip route 192.168.6.0 255.255.255.0 Tunnel32
no ip http server
!
!
!
ip access-list extended repro
 permit gre host 192.168.32.2 host 192.168.32.1
ip access-list extended tope
 permit gre host 192.168.31.2 host 192.168.31.1
!
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 1 permit 192.168.43.0 0.0.0.255
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 no login
 transport input lat pad mop telnet rlogin udptn nasi
!
!
end

VRF Mode Configuration Example 5 (Tunnel Protection)

The following example shows a VRF mode configuration with tunnel protection:

ip vrf coke
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
crypto keyring key1 
 pre-shared-key address 100.1.1.1 key happy-eddie
!
crypto isakmp policy 1
 authentication pre-share

crypto isakmp profile prof1
 keyring key1
 match identity address 100.1.1.1 255.255.255.255 
!
crypto ipsec transform-set TR esp-des esp-md5-hmac 
!
crypto ipsec profile tp
 set transform-set TR 
 set isakmp-profile prof1
!
!
crypto engine mode vrf
!
interface Tunnel1
 ip vrf forwarding coke
 ip address 10.1.1.254 255.255.255.0
 tunnel source 172.1.1.1
 tunnel destination 100.1.1.1
 tunnel protection ipsec profile tp
 crypto engine slot 4/0 inside
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 cdp enable
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 cdp enable
 spanning-tree portfast trunk
!
interface GigabitEthernet6/1
 ip address 172.1.1.1 255.255.255.0
 crypto engine slot 4/0 outside
!
interface FastEthernet7/13
 ip vrf forwarding coke
 ip address 13.1.1.2 255.255.255.0
!
ip route 100.1.1.1 255.255.255.255 Tunnel1

VRF Mode Configuration Example 6 (Chassis-to-Chassis Stateless Failover)

The following example shows a VRF mode configuration with HSRP chassis-to-chassis stateless failover with crypto maps:

!
hostname router-1
!
ip vrf ivrf
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
crypto engine mode vrf
!
vlan 2,3 
!
crypto keyring key1 
  pre-shared-key address 14.0.1.1 key 12345
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp keepalive 10
crypto isakmp profile ivrf
   vrf ivrf
   keyring key1
   match identity address 14.0.1.1 255.255.255.255 
!
crypto ipsec transform-set ts esp-3des esp-sha-hmac 
!
crypto map map_vrf_1 local-address Vlan3
crypto map map_vrf_1 10 ipsec-isakmp 
 set peer 14.0.1.1
 set transform-set ts 
 set isakmp-profile ivrf
 match address acl_1
!
interface GigabitEthernet1/1
 !switch inside port
 ip address 13.254.254.1 255.255.255.0
!
interface GigabitEthernet1/1.1
 encapsulation dot1Q 2000
 ip vrf forwarding ivrf
 ip address 13.254.254.1 255.0.0.0
!
interface GigabitEthernet1/2
 !switch outside port
 switchport
 switchport access vlan 3
 switchport mode access
!

interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan3
 ip address 15.0.0.2 255.255.255.0
 standby delay minimum 0 reload 0
 standby 1 ip 15.0.0.100
 standby 1 timers msec 100 1
 standby 1 priority 105
 standby 1 preempt
 standby 1 name std-hsrp
 standby 1 track GigabitEthernet1/2
 crypto engine slot 4/0 outside
!
interface Vlan2
 ip vrf forwarding ivrf
 ip address 15.0.0.252 255.255.255.0
 crypto map map_vrf_1 redundancy std-hsrp 
 crypto engine slot 4/0 inside

!
ip classless
ip route 12.0.0.0 255.0.0.0 15.0.0.1
ip route 13.0.0.0 255.0.0.0 13.254.254.2
ip route 14.0.0.0 255.0.0.0 15.0.0.1
ip route 223.255.254.0 255.255.255.0 17.1.0.1
ip route vrf ivrf 12.0.0.1 255.255.255.255 15.0.0.1
!
ip access-list extended acl_1
 permit ip host 13.0.0.1 host 12.0.0.1
!
!
arp vrf ivrf 13.0.0.1 0000.0000.2222 ARPA

IPSec Virtual Tunnel Interfaces Configuration Examples

The following examples show VRF mode configurations that use VTI:

IPSec Virtual Tunnel Interface Configuration Example 1 (FVRF)

IPSec Virtual Tunnel Interface Configuration Example 2 (CCA)

IPSec Virtual Tunnel Interface Configuration Example 1 (FVRF)

The following example configuration shows an FVRF VTI configuration:

hostname router-1
!
!
ip vrf fvrf
 rd 2000:1
 route-target export 2000:1
 route-target import 2000:1
!
ip vrf ivrf
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
crypto engine mode vrf
! 
crypto keyring key1 vrf fvrf
  pre-shared-key address 11.1.1.1 key cisco47
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp profile isa_prof
   keyring key1
   match identity address 11.1.1.1 255.255.255.255 fvrf
crypto ipsec transform-set proposal esp-3des esp-sha-hmac
!
!
crypto ipsec profile vpnprof
 set transform-set proposal 
 set isakmp-profile isa_prof
!
!
!
!
!
interface Tunnel1
 ip vrf forwarding ivrf
 ip address 20.1.1.1 255.255.255.0
 ip pim sparse-mode
 ip ospf network broadcast
 ip ospf priority 2
 tunnel source 1.0.0.1
 tunnel destination 11.1.1.1
 tunnel mode ipsec ipv4
 tunnel vrf fvrf
 tunnel protection ipsec profile vpnprof
 crypto engine slot 4/0 inside
!
interface Loopback1
 ip vrf forwarding fvrf
 ip address 1.0.0.1 255.255.255.0
!
interface GigabitEthernet1/1
 !switch inside port
 ip vrf forwarding ivrf
 ip address 50.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
 !switch outside port
 ip vrf forwarding fvrf
 ip address 9.1.1.1 255.255.255.0
 crypto engine slot 4/0 outside
!
interface GigabitEthernet4/0/1
 !IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 !IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
router ospf 1 vrf ivrf
 log-adjacency-changes
 network 20.1.1.0 0.0.0.255 area 0
 network 21.1.1.0 0.0.0.255 area 0
 network 50.0.0.0 0.0.0.255 area 0
!
ip classless
ip route vrf fvrf 11.1.1.0 255.255.255.0 9.1.1.254

IPSec Virtual Tunnel Interface Configuration Example 2 (CCA)

The following example configuration shows IPSec VTI configuration using crypto connect alternative (CCA) mode:

!
crypto engine mode vrf
!
crypto keyring key1 
  pre-shared-key address 14.0.0.2 key 12345 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp profile prof1
   keyring key1
   match identity address 14.0.0.2 255.255.255.255 
!
crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac 
!
crypto ipsec profile prof1
 set transform-set t-set1 
 set isakmp-profile prof1
!
!
interface Tunnel1
 ip address 122.0.0.2 255.255.255.0
 tunnel source 15.0.0.2
 tunnel destination 14.0.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile prof1
 crypto engine slot 2/0 inside
!
interface Loopback2
 ip address 15.0.0.2 255.255.255.0
!

interface GigabitEthernet1/3
 ip address 172.2.1.1 255.255.255.0
 crypto engine slot 2/0 outside
!
interface GigabitEthernet2/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
!
ip route 14.0.0.0 255.0.0.0 172.2.1.2
ip route 172.0.0.0 255.0.0.0 172.2.1.2