Feedback
Table Of Contents
Configuring VPNs on the IPSec VPN SPA
Overview of Basic IPSec and IKE Configuration Concepts
Information About IPSec Configuration
Information About IKE Configuration
Configuring VPNs with the IPSec VPN SPA
Configuring Ports in Crypto-Connect Mode
Understanding Port Types in Crypto-Connect Mode
Crypto-Connect Mode Configuration Guidelines and Restrictions
Configuring the IPSec VPN SPA Inside Port and Outside Port
Configuring IPSec VPN SPA Connections to WAN Interfaces
Displaying the VPN Running State
Understanding VPN Configuration in VRF Mode
VRF Mode Configuration Guidelines and Restrictions
Configuring VPNs in VRF Mode without Tunnel Protection
Configuring VPNs in VRF Mode with Tunnel Protection
Configuring VRF Mode with Chassis-to-Chassis Stateless Failover
Configuring GRE Tunneling in Crypto-Connect Mode
Configuring GRE Tunneling in VRF Mode
Configuring the GRE Takeover Criteria
Configuring IP Multicast over a GRE Tunnel
Configuring an IPSec Virtual Tunnel Interface
IPSec Virtual Tunnel Interface Configuration Guidelines and Restrictions
Configuring an IPSec Static Tunnel
Verifying the IPSec Virtual Tunnel Interface Configuration
Configuring VPNs in Crypto Connect Alternative Mode
Access Port in Crypto-Connect Mode Configuration Example
Routed Port in Crypto-Connect Mode Configuration Example
Trunk Port in Crypto-Connect Mode Configuration Example
IPSec VPN SPA Connections to WAN Interfaces Configuration Examples
GRE Tunneling in Crypto-Connect Mode Configuration Example
GRE Takeover Criteria Configuration Examples
IP Multicast over a GRE Tunnel Configuration Example
VRF Mode Configuration Examples
IPSec Virtual Tunnel Interfaces Configuration Examples
Configuring VPNs on the IPSec VPN SPA
This chapter provides information about configuring IPSec VPNs on the IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections:
•
Overview of Basic IPSec and IKE Configuration Concepts
•
•
•
•
•
Note
For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications.
For more information about the commands used in this chapter, see first Chapter 37, "SIP, SSC, and SPA Commands," and then the Cisco 7600 Series Cisco IOS Command Reference, 12.2 SX publication. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information about accessing these publications, see the "Related Documentation" section on page -xliv.
Tip
Overview of Basic IPSec and IKE Configuration Concepts
This subsection reviews some basic IPSec and IKE concepts that are used throughout the configuration of the IPSec VPN SPA, such as security associations (SAs), access lists (ACLs), crypto maps, transform sets, and IKE policies. The information presented here is introductory and should not be considered complete. For more detailed information on IPSec and IKE concepts and procedures, refer to the Cisco IOS Security Configuration Guide.
Information About IPSec Configuration
IPSec provides secure tunnels between two peers, such as two routers. More accurately, these tunnels are sets of security associations (SAs) that are established between two IPSec peers. The SAs define which protocols and algorithms should be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol (Authentication Header (AH) or Encapsulating Security Payload (ESP)). Multiple IPSec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of SAs. For example, some data streams might be authenticated only while other data streams must both be encrypted and authenticated.
Note
With IPSec, you define what traffic should be protected between two IPSec peers by configuring ACLs and applying these ACLs to interfaces by way of crypto maps. (The ACLs used for IPSec are used only to determine which traffic should be protected by IPSec, not which traffic should be blocked or permitted through the interface. Separate ACLs define blocking and permitting at the interface.)
If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you must create two different crypto ACLs to define the two different types of traffic. These different ACLs are then used in different crypto map entries, which specify different IPSec policies.
Crypto ACLs associated with IPSec crypto map entries have four primary functions:
•
•
•
•
Crypto map entries created for IPSec combine the various parts used to set up IPSec SAs, including:
•
•
•
•
•
•
•
Crypto map entries are searched in order—the router attempts to match the packet to the access list specified in that entry.
Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec-protected traffic.
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peers' IPSec SAs. (With manually established SAs, there is no negotiation with the peer, so both sides must specify the same transform set.)
Information About IKE Configuration
IKE is a key management protocol standard that is used in conjunction with the IPSec standard.
IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)
IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE is enabled by default.
You configure IKE by creating IKE policies at each peer using the crypto isakmp policy command. An IKE policy defines a combination of security parameters to be used during the IKE negotiation and mandates how the peers are authenticated.
You can create multiple IKE policies, each with a different combination of parameter values, but at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer. For each policy that you create, you assign a unique priority (1 through 10,000, with 1 being the highest priority).
If you do not configure any policies, your router uses the default policy, which is always set to the lowest priority, and which contains each parameter's default value.
There are five parameters to define in each IKE policy:
•
•
•
•
•
Configuring VPNs with the IPSec VPN SPA
To configure a VPN using the IPSec VPN SPA, you have two basic options: crypto-connect mode or Virtual Routing and Forwarding (VRF) mode. In either mode, you may also configure GRE tunneling to encapsulate a wide variety of protocol packet types, including multicast packets, inside the VPN tunnel.
Note
Crypto-Connect Mode
Traditionally, VPNs are configured on the IPSec VPN SPA by attaching crypto maps to interface VLANs and then crypto-connecting a physical port to the interface VLAN. This method, known as crypto-connect mode, is similar to the method used to configure VPNs on routers running Cisco IOS software. When you configure VPNs on the IPSec VPN SPA using crypto-connect mode, you attach crypto maps to VLANs (using interface VLANs); when you configure VPNs on routers running Cisco IOS software, you configure individual interfaces.
Note
VRF Mode
The VRF-aware IPSec feature, known as VRF mode, allows you to map IPSec tunnels to VPN routing and forwarding instances (VRFs) using a single public-facing address. A VRF instance is a per-VPN routing information repository that defines the VPN membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and CEF tables is maintained for each VPN customer.
When you configure a VPN on the IPSec VPN SPA using VRF mode, the model of interface VLANs is preserved, but the crypto connect vlan command is not used. Instead, a route must be installed so that packets destined for that particular subnet in that particular VRF are directed to that interface VLAN.
When configuring a VPN using VRF mode, you have these additional tunneling options: tunnel protection (TP) using GRE, and Virtual Tunnel Interface (VTI). When configuring VTI, you can terminate tunnels in VRFs (normal VRF mode) or in the global context, using crypto connect alternative (CCA) mode.
Configuring Ports in Crypto-Connect Mode
Before beginning your crypto-connect mode port configurations, you should read the following subsections:
•
•
Then perform the procedures in the following subsections:
•
•
•
Note
Note
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htUnderstanding Port Types in Crypto-Connect Mode
To configure IPSec VPNs in crypto-connect mode, you should understand the following concepts:
•
•
•
•
Router Outside Ports and Inside Ports
The Fast Ethernet or Gigabit Ethernet ports on the Cisco 7600 series router that connect to the WAN routers are referred to as router outside ports. These ports connect the LAN to the Internet or to remote sites. Cryptographic policies are applied to the router outside ports.
The Fast Ethernet or Gigabit Ethernet ports on the Cisco 7600 series router that connect to the LAN are referred to as router inside ports.
The IPSec VPN SPA sends encrypted packets to the router outside ports and decrypted packets to the Policy Feature Card (PFC) for Layer 3 forwarding to the router inside ports.
IPSec VPN SPA Outside Port and Inside Port
The IPSec VPN SPA appears to the CLI as a SPA with two Gigabit Ethernet ports. The IPSec VPN SPA has no external connectors; the Gigabit Ethernet ports connect the IPSec VPN SPA to the router backplane and Switch Fabric Module (SFM) (if installed).
One Gigabit Ethernet port handles all the traffic going to and coming from the router outside ports. This port is referred to as the IPSec VPN SPA outside port. The other Gigabit Ethernet port handles all traffic going to and coming from the LAN or router inside ports. This port is referred to as the IPSec VPN SPA inside port.
Port VLAN and Interface VLAN
Your VPN configuration can have one or more router outside ports. To handle the packets from multiple router outside ports, you must direct the packets from multiple router outside ports to the IPSec VPN SPA outside port by placing the router outside ports in a VLAN with the outside port of the IPSec VPN SPA. This VLAN is referred to as the port VLAN. The port VLAN is a Layer 2-only VLAN. You do not configure Layer 3 addresses or features on this VLAN; the packets within the port VLAN are bridged by the PFC.
Before the router can forward the packets using the correct routing table entries, the router needs to know which interface a packet was received on. For each port VLAN, you must create another VLAN so that the packets from every router outside port are presented to the router with the corresponding VLAN ID. This VLAN contains only the IPSec VPN SPA inside port and is referred to as the interface VLAN. The interface VLAN is a Layer 3-only VLAN. You configure the Layer 3 address and Layer 3 features, such as ACLs and the crypto map, to the interface VLAN.
You tie the port VLAN and the interface VLAN together using the crypto engine slot command on the interface VLAN followed by the crypto connect vlan command on the port VLAN. Figure 29-1 shows an example of the port VLAN and interface VLAN configurations.
Figure 29-1 Port VLAN and Interface VLAN Configuration Example
Port VLAN 502 and port VLAN 503 are the port VLANs that are associated with two router outside ports.
Interface VLAN 2 and interface VLAN 3 are the interface VLANs that correspond to port VLAN 502 and port VLAN 503, respectively.
You configure the IP address, ACLs, and crypto map that apply to one router outside port on interface VLAN 2. You configure the features that apply to another router outside port on interface VLAN 3.
Packets coming from the WAN through the router outside port belonging to VLAN 502 are directed by the PFC to the IPSec VPN SPA outside port. The IPSec VPN SPA decrypts the packets and changes the VLAN to interface VLAN 2 and then presents the packet to the router through the IPSec VPN SPA inside port. The PFC then routes the packet to the proper destination.
Packets going from the LAN to the outside ports are first routed by the PFC. Based on the route, the PFC routes the packets to one of the interface VLANs and directs the packet to the IPSec VPN SPA inside port. The IPSec VPN SPA applies the cryptographic policies that are configured on the corresponding interface VLAN, encrypts the packet, changes the VLAN ID to the corresponding port VLAN, and sends the packet to the router outside port through the IPSec VPN SPA outside port.
Access Ports, Trunk Ports, and Routed Ports
When you configure VPNs on the IPSec VPN SPA using crypto-connect mode, you attach crypto maps to interface VLANs. Using the crypto connect vlan command, you then attach an interface VLAN either to a Layer 2 port VLAN associated with one or more physical ports, or directly to a physical port. The physical ports can be ATM, POS, serial, or Ethernet ports.
When you crypto-connect an interface VLAN to a port VLAN that is attached to one or more Ethernet ports configured in switchport mode, the Ethernet ports can be configured as either access ports or trunk ports:
•
•
When you crypto-connect an interface VLAN to a physical Ethernet port without defining a port VLAN, a hidden port VLAN is automatically created and associated with the port. In this configuration, the Ethernet port is a routed port:
•
Crypto-Connect Mode Configuration Guidelines and Restrictions
Follow these guidelines and restrictions to prevent IPSec VPN SPA misconfigurations when configuring VPN ports in crypto-connect mode:
•
•
•
If you apply the same crypto map set to each secure interface and enter the crypto map local-address command with the interface as a loopback interface, you will have a single security association database for the set of secure interfaces. If you do not enter the crypto map local-address command, the number of IKE security associations is equal to the number of interfaces attached.
•
•
•
When you enter the crypto connect vlan command and the interface VLAN or port VLAN is not in the VLAN database, this warning message is displayed:
VLAN id 2 not found in current VLAN database. It may not function correctly unlessVLAN 2 is added to VLAN database.•
•
Configuring the IPSec VPN SPA Inside Port and Outside Port
In most cases, you do not explicitly configure the IPSec VPN SPA inside and outside ports. Cisco IOS software configures these ports automatically.
IPSec VPN SPA Inside and Outside Port Configuration Guidelines and Restrictions
When configuring the IPSec VPN SPA inside and outside ports, follow these guidelines:
•
•
•
Note
If you accidentally change the inside port characteristics, enter the following commands to return the port characteristics to the defaults:
Router(config-if)# switchportRouter(config-if)# no switchport access vlanRouter(config-if)# switchport trunk allowed vlan 1,1002-1005Router(config-if)# switchport trunk encapsulation dot1qRouter(config-if)# switchport mode trunkRouter(config-if)# mtu 9216Router(config-if)# flow control receive onRouter(config-if)# flow control send offRouter(config-if)# span portfast trunk•
Note
•
Configuring an Access Port
This section describes how to configure the IPSec VPN SPA with an access port connection to the WAN router (see Figure 29-2).
Figure 29-2 Access Port Configuration Example
Note
Note
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htmTo configure an access port connection to the WAN router, perform the following task beginning in global configuration mode:
For access port configuration examples, see the "Access Port in Crypto-Connect Mode Configuration Example" section.
Verifying the Access Port Configuration
To verify an access port configuration, enter the show crypto vlan command.
Router# show crypto vlanInterface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to VLAN 502 with crypto map set MyMapConfiguring a Routed Port
This section describes how to configure the IPSec VPN SPA with a routed port connection to the WAN router (see Figure 29-3).
Note
Figure 29-3 Routed Port Configuration Example
Note
Cisco IOS Security Configuration Guide, Release 12.2, at this URL
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htmRouted Port Configuration Guidelines
When configuring a routed port using the IPSec VPN SPA, follow these configuration guidelines:
•
•
To configure a routed port connection to the WAN router, perform this task beginning in global configuration mode:
For routed port configuration examples, see the "Routed Port in Crypto-Connect Mode Configuration Example" section.
Verifying a Routed Port Configuration
To verify a route port configuration, enter the show crypto vlan command. In the following example, Gi 1/2 is the crypto-connected port:
Router# show crypto vlanInterface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to Gi1/2 with crypto map set MyMapConfiguring a Trunk Port
Caution
This section describes how to configure the IPSec VPN SPA with a trunk port connection to the WAN router (see Figure 29-4).
Figure 29-4 Trunk Port Configuration Example
Note
Note
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htmTrunk Port Configuration Guidelines
When configuring a trunk port using the IPSec VPN SPA, follow these configuration guidelines:
•
•
Command rejected:VLAN 2 is crypto connected to V502.To remove the interface VLAN from the VLAN list, enter the following commands:
Router# configure terminalRouter(config)# interface g1gabitethernet1/2Router(config-if)# no switchport mode trunkRouter(config-if)# switchport trunk allowed vlan 1Router(config-if)# switchport mode trunkRouter(config-if)# switchport trunk allowed vlan 1,502,1002-1005
Note
•
Router# configure terminalRouter(config)# interface g1gabitethernet1/2Router(config)# no shutRouter(config-if)# switchportRouter(config-if)# switchport trunk allowed vlan 1Router(config-if)# switchport trunk encapsulation dot1qRouter(config-if)# switchport mode trunkRouter(config-if)# switchport trunk allowed vlan 1,502,1002-1005
Note
•
Router(config-if)# switchport trunk allowed vlan add 502If the switchport trunk allowed vlan command has not already been used, the add option does not make VLAN 502 the only allowed VLAN on the trunk port; all VLANs are still allowed after entering the command because all the VLANs are allowed by default. After you use the switchport trunk allowed vlan command to add a VLAN, you can then use the switchport trunk allowed vlan add command to add additional VLANs.
•
Caution
To configure a trunk port connection to the WAN router, perform this task beginning in global configuration mode:
For trunk port configuration examples, see the "Trunk Port in Crypto-Connect Mode Configuration Example" section.
Verifying the Trunk Port Configuration
To verify the VLANs allowed by a trunk port, enter the show interfaces trunk command. The following display shows that all VLANs are allowed:
Router# show interfaces GigabitEthernet 1/2 trunkPort Mode Encapsulation Status Native vlanGi1/2 on 802.1q trunking 1Port Vlans allowed on trunkGi1/2 1-4094Port Vlans allowed and active in management domainGi1/2 1-4,7-8,513,1002-1005Port Vlans in spanning tree forwarding state and not prunedGi1/2 1-4,7-8,513,1002-1005Configuring IPSec VPN SPA Connections to WAN Interfaces
The configuration of IPSec VPN SPA connections to WAN interfaces is similar to the configuration of Ethernet routed interfaces.
IPSec VPN SPA Connections to WAN Interfaces Configuration Guidelines and Restrictions
When configuring a connection to a WAN interface using an IPSec VPN SPA, follow these guidelines and note these restrictions:
•
Router(config)# interface Vlan101Router(config-if)# ip address 192.168.101.1 255.255.255.0Router(config-if)# no mop enabledRouter(config-if)# crypto map cwanRouter(config)# interface ATM6/0/0.101 point-to-pointRouter(config-subif)# pvc 0/101Router(config-subif)# crypto connect vlan 101•
•
•
•
Router(config)# router ospf 10Router(config)# passive-interface multilink1•
•
•
Router(config)# interface vlan inside-vlanRouter(config-if)# ip ospf network point-to-pointFor IPSec VPN SPA connections to WAN interfaces configuration examples, see the "IPSec VPN SPA Connections to WAN Interfaces Configuration Examples" section
Displaying the VPN Running State
Use the show crypto vlan command to display the VPN running state. The following examples show the show crypto vlan command output for a variety of IPSec VPN SPA configurations.
In the following example, the interface VLAN belongs to the IPSec VPN SPA inside port:
Router# show crypto vlanInterface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to Fa8/3In the following example, VLAN 2 is the interface VLAN and VLAN 2022 is the hidden VLAN:
Router# show crypto vlanInterface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to VLAN 2022 with crypto map set coral2In the following example, the interface VLAN is missing on the IPSec VPN SPA inside port, the IPSec VPN SPA is removed from the chassis, or the IPSec VPN SPA was moved to a different subslot:
Router# show crypto vlanInterface VLAN 2 connected to VLAN 502 (no IPSec Service Module attached)Configuring VPNs in VRF Mode
The VRF-Aware IPSec feature, known as VRF mode, allows you to map IPSec tunnels to VPN routing and forwarding instances (VRFs) using a single public-facing address.
A VRF instance is a per-VPN routing information repository that defines the VPN membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and CEF tables is maintained for each VPN customer.
Note
Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, called the front door VRF (FVRF), while the inner, protected IP packet belongs to another domain called the Inside VRF (IVRF). Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the ISAKMP profile that is attached to a crypto map entry.
With VRF mode, packets belonging to a specific VRF are routed through the IPSec VPN SPA for IPSec processing. Through the CLI, you associate a VRF with an interface VLAN that has been configured to point to the IPSec VPN SPA. An interface VLAN must be created for each VRF. Packets traveling from an MPLS cloud to the Internet that are received from an inside VRF are routed to an interface VLAN, and then to the IPSec VPN SPA for IPSec processing. The IPSec VPN SPA modifies the packets so that they are placed on a special Layer 3 VLAN for routing to the WAN-side port after they leave the IPSec VPN SPA.
Note
Packets traveling in the inbound direction from a protected port on which the crypto engine slot command has been entered are redirected by a special ACL to the IPSec VPN SPA, where they are processed according to the Security Parameter Index (SPI) contained in the packet's IPSec header. Processing on the IPSec VPN SPA ensures that the decapsulated packet is mapped to the appropriate interface VLAN corresponding to the inside VRF. This interface VLAN has been associated with a specific VRF, so packets are routed within the VRF to the correct inside interface.
Note
The following subsections describe how to configure a VPN in VRF mode with and without tunnel protection on the IPSec VPN SPA:
•
•
•
•
•
Understanding VPN Configuration in VRF Mode
In the traditional crypto-connect mode, a VPN is configured by attaching crypto maps to interface VLANs and then crypto-connecting a physical port to the interface VLAN. When configuring a VPN in VRF mode using the IPSec VPN SPA, the model of interface VLANs is preserved, but the crypto connect vlan CLI command is not used. When a packet comes into an interface on a specific VRF, the packet must get to the proper interface VLAN. A route must be installed so that packets destined for that particular subnet in that particular VRF are directed to that interface VLAN. This function can be achieved through the following configuration options:
•
int vlan 100ip vrf forwarding cokeip address 10.1.1.254 255.255.255.0 <-- same subnet as 10.1.1.x that we are trying to reach.crypto map mymapcrypto engine slot 4/1•
ip route vrf coke 10.1.1.0 255.255.255.0 vlan 100•
Note
•
With VRF mode, the router sees the interface VLAN as a point-to-point connection; the packets are placed directly onto the interface VLAN. Each VRF has its own interface VLAN.
When a crypto map is attached to an interface VLAN and the ip vrf forwarding command has associated that VLAN with a particular VRF, the software creates a point-to-point connection so that all routes pointing to the interface VLAN do not attempt to run the Address Resolution Protocol (ARP). Through normal routing within the VRF, packets to be processed by the IPSec VPN SPA are sent to the interface VLAN. You may configure features on the interface VLAN. The IP address of the interface VLAN must be on the same subnet as the desired destination subnet for packets to be properly routed.
When you enter the ip vrf forwarding command on an inside interface, all packets coming in on that interface are routed correctly within that VRF.
When you enable the crypto engine mode vrf command and enter the crypto engine slot outside command on an interface, a special ACL is installed that forces all incoming Encapsulating Security Payload (ESP)/Authentication Header (AH) IPSec packets addressed to a system IP address to be sent to the IPSec VPN SPA WAN-side port. NAT Traversal (NAT-T) packets are also directed to the IPSec VPN SPA by the special ACL.
Note
All packets destined for a protected outside interface received in this VRF context are placed on the associated interface VLAN. Similarly, all decapsulated ingress packets associated with this VRF are placed on the appropriate interface VLAN so that they may be routed in the proper VRF context.VRF Mode Configuration Guidelines and Restrictions
Follow these guidelines and restrictions when configuring a VPN for the IPSec VPN SPA using VRF mode:
Note
•
•
•
•
–
–
–
•
Features Supported in VRF Mode
Supported features in VRF mode are as follows:
•
–
–
•
–
–
•
•
•
•
•
Note
Release 12.2(18) SXE, in VRF mode, there is no configuration difference between multiple IPSec VPN SPA operation and single IPSec VPN SPA operation. For multiple IPSec VPN SPA operation, the only change is to the output of the show crypto vlan command. The following is an example:
Interface Tu1 on IPSec Service Module port Gi7/1/1 connected to VRF vrf1
Interface VLAN 2 on IPSec Service Module port Gi7/1/1 connected to VRF vrf2•
•
•
Features Not Supported in VRF Mode
Unsupported features in VRF mode are as follows:
•
•
•
•
•
•
•
Note
•
Note
•
Note
•
•
•
•
•
•
Configuring VPNs in VRF Mode without Tunnel Protection
Note
VRF-Aware IPSec feature guide, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_book09186a0080087df1.html
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.htmlTo configure a VPN in VRF mode with crypto maps and without tunnel protection, perform this task beginning in global configuration mode:
For complete configuration information for VRF-Aware IPSec, refer to this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm
For a configuration example, see the "VRF Mode Configuration Example 1 (Basic Configuration)" section.
Configuring VPNs in VRF Mode with Tunnel Protection
Note
This section describes how to configure a VPN in VRF mode on the IPSec VPN SPA with tunnel protection (TP). When you configure IPSec, a crypto map is attached to an interface to enable IPSec. With tunnel protection, there is no need for a crypto map or ACL to be attached to the interface. A crypto policy is attached directly to the tunnel interface. Any traffic routed by the interface is encapsulated in GRE and then encrypted using IPSec. The tunnel protection feature can be applied to point-to-point GRE.
VRF Mode Using Tunnel Protection Configuration Guidelines and Restrictions
When configuring tunnel protection on theIPSec VPN SPA follow these guidelines and restrictions:
•
•
•
To configure a VPN in VRF mode using tunnel protection, perform this task beginning in global configuration mode:
For a configuration example, see the "VRF Mode Configuration Example 5 (Tunnel Protection)" section.
Configuring VRF Mode with Chassis-to-Chassis Stateless Failover
VRF mode with chassis-to-chassis stateless failover is supported, but it is configured differently than in non-VRF (crypto-connect) mode. In VRF mode, the HSRP configuration goes on the physical interface, but the crypto map is added to the interface VLAN. In non-VRF mode, both the HSRP configuration and the crypto map are on the same interface.
For a configuration example of VRF mode with stateless failover, see the "VRF Mode Configuration Example 6 (Chassis-to-Chassis Stateless Failover)" section.
Configuring GRE Tunneling
In addition to choosing to configure your VPN using crypto-connect mode or VRF mode, the following additional GRE configuration options are available:
•
•
•
•
Configuring GRE Tunneling in Crypto-Connect Mode
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to routers at remote points over an IP network. When GRE is used in conjunction with IPSec, only tunnel mode can be used. Tunnel mode adds an IPSec header to the GRE packet.
Note
Note
GRE Tunneling Configuration Guidelines
When configuring GRE tunneling using the IPSec VPN SPA, follow these guidelines:
•
•
–
–
•
•
Caution
•
•
•
•
•
•
•
To configure a GRE tunnel, perform this task beginning in global configuration mode:
Verifying the GRE Tunneling Configuration
To verify that the IPSec VPN SPA has seized the GRE tunnel, enter the show crypto vlan command:
Router# show crypto vlanInterface VLAN 101 on IPSec Service Module port 7/1/1 connected to AT4/0/0.101Tunnel101 is accelerated via IPSec SM in subslot 7/1Router#For complete configuration information for GRE tunneling, refer to this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s17/12s_tos.htm
For GRE tunneling configuration examples, see the "GRE Tunneling in Crypto-Connect Mode Configuration Example" section.
Configuring GRE Tunneling in VRF Mode
To configure GRE tunneling in VRF mode, refer to the "Configuring VPNs in VRF Mode with Tunnel Protection" section.
Configuring the GRE Takeover Criteria
You can configure the takeover criteria for Generic Routing Encapsulation (GRE) processing by using the crypto engine gre supervisor or crypto engine gre vpnblade commands. These two commands allow you to specify whether the GRE processing should be done by the supervisor engine hardware or the route processor or the IPSec VPN SPA.
Note
To configure a router to process GRE using the supervisor engine hardware or the route processor (RP), use the crypto engine gre supervisor command. When this command is specified, GRE processing by the supervisor engine hardware takes precedence over processing by the route processor (unless the tunnels are from duplicate sources); the RP only takes over GRE processing if the supervisor engine hardware cannot do the processing. If this command is configured, duplicate source GREs will be processed by the route processor.
To configure a router to process GRE using the IPSec VPN SPA, use the crypto engine gre vpnblade command. If the IPSec VPN SPA cannot take over the GRE processing, the GRE processing will be handled either by supervisor engine hardware (which has precedence) or the route processor.
Both of these commands can be configured globally or at an individual tunnel.
Individual tunnel configuration takes precedence over the global configuration. For example, when the crypto engine gre supervisor command is configured at the global configuration level, the command will apply to all tunnels except those tunnels that have been configured individually using either a crypto engine gre supervisor command or a crypto engine gre vpnblade command.
At any time, only one of the two commands (crypto engine gre supervisor or crypto engine gre vpnblade) can be configured globally or individually at a tunnel. If either command is already configured, configuring the second command will overwrite the first command, and only the configuration applied by the second command will be used.
GRE Takeover Configuration Guidelines and Restrictions
When configuring GRE takeover on the IPSec VPN SPA, follow these guidelines and restrictions:
•
–
–
–
–
–
•
•
•
All other options configured are ignored.
•
•
–
–
–
–
–
–
–
•
•
•
–
–
–
•
Configuring the GRE Takeover Criteria Globally
To configure the GRE takeover criteria globally (so that it affects all tunnels except those tunnels that have been configured individually using either a crypto engine gre supervisor command or a crypto engine gre vpnblade command), perform this task beginning in global configuration mode:
Configuring the GRE Takeover Criteria at an Individual Tunnel
To configure the GRE takeover criteria at an individual tunnel (so that it affects only a specific tunnel), perform this task beginning in global configuration mode:
For GRE takeover criteria configuration examples, see the "GRE Takeover Criteria Configuration Examples" section.
Configuring IP Multicast over a GRE Tunnel
IP multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple recipients. GRE is a tunneling protocol developed by Cisco and commonly used with IPSec that encapsulates a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP network.
In some network scenarios, you might want to configure your network to use GRE tunnels to send Protocol Independent Multicast (PIM) and multicast traffic between routers. Typically, this occurs when the multicast source and receiver are separated by an IP cloud that is not configured for IP multicast routing. In such network scenarios, configuring a tunnel across an IP cloud with PIM-enabled transports multicast packets toward the receiver. The configuration of IP multicast over a GRE tunnel using the IPSec VPN SPA involves three key steps:
•
•
•
IP Multicast over a GRE Tunnel Configuration Guidelines and Restrictions
When configuring IP multicast over a GRE tunnel, follow these guidelines:
•
Module n will be reset? Confirm [n]:
The prompt will default to N (no). You must type Y (yes) to activate the reset action.
•
•
•
–
–
–
–
–
–
–
•
Configuring Single-SPA Mode for IP Multicast Traffic
Before you configure IP multicast on the IPSec VPN SPA, you should change the mode of the Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot using the hw-module slot subslot only command. If this command is not used, the total amount of buffers available is divided between the two subslots on the Cisco 7600 SSC-400 card.
To allocate full buffers to the specified subslot, use the hw-module slot subslot only command as follows:
Router(config)# hw-module slot slot subslot subslot onlyslot specifies the slot where the Cisco 7600 SSC-400 card is located.
subslot specifies the subslot where the IPSec VPN SPA is located.
Configuring IP Multicast Globally
You must enable IP multicast routing globally before you can enable PIM on the router interfaces.
To enable IP multicast routing globally, use the ip multicast-routing command.
Configuring PIM at the Tunnel Interfaces
You must enable PIM on all participating router interfaces before IP multicast will function.
To enable PIM, use the ip pim command as follows:
Router(config-if)# ip pim {dense-mode | sparse-mode | sparse-dense-mode}dense-mode enables dense mode of operation.
sparse-mode enables sparse mode of operation.
sparse-dense-mode enables the interface in either sparse mode or dense mode of operation, depending on which mode the multicast group operates in.
For IP multicast over GRE tunnels configuration examples, see the "IP Multicast over a GRE Tunnel Configuration Example" section.
Verifying the IP Multicast over a GRE Tunnel Configuration
To verify the IP multicast over a GRE tunnel configuration, enter the show crypto vlan and show ip mroute commands.
To verify that the tunnel has been taken over by the IPSec VPN SPA, enter the show crypto vlan command:
Router(config)# show crypto vlanInterface VLAN 100 on IPSec Service Module port Gi7/0/1 connected to Po1 with crypto map set map_t3 Tunnel15 is accelerated via IPSec SM in subslot 7/0To verify that the IP multicast traffic is hardware-switched, enter the show ip mroute command and look for the H flag:
Router# show ip mroute 230.1.1.5IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel Y - Joined MDT-data group, y - Sending to MDT-data group Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode(*, 230.1.1.5), 01:23:45/00:03:16, RP 15.15.1.1, flags: SJC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16(120.1.0.3, 230.1.1.5), 01:23:46/00:03:25, flags: T
Incoming interface: GigabitEthernet8/1, RPF nbr 0.0.0.0, RPF-MFD
Outgoing interface list:
Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16, HFor IP multicast over GRE tunnels configuration examples, see the "IP Multicast over a GRE Tunnel Configuration Example" section.
Configuring an IPSec Virtual Tunnel Interface
The IPSec Virtual Tunnel Interface (VTI) provides a routable interface type for terminating IPSec tunnels that greatly simplifies the configuration process when you need to provide protection for remote access, and provides a simpler alternative to using GRE tunnels and crypto maps with IPSec. In addition, the IPSec VTI simplifies network management and load balancing.
Note
Note the following details about IPSec VTI routing and traffic encryption:
•
•
•
IPSec Virtual Tunnel Interface Configuration Guidelines and Restrictions
When configuring IPSec VTI, follow these guidelines and restrictions:
•
•
•
•
•
•
•
•
Configuring an IPSec Static Tunnel
To configure a static IPSec virtual tunnel interface, perform this task beginning in global configuration mode:
Verifying the IPSec Virtual Tunnel Interface Configuration
To confirm that your IPSec virtual tunnel interface configuration is working properly, enter the show interfaces tunnel, show crypto session, and show ip route commands.
The show interfaces tunnel command displays tunnel interface information, the show crypto session command displays status information for active crypto sessions, and the show ip route command displays the current state of the routing table.
Notice that in this display the Tunnel 0 is up and the line protocol is up. If the line protocol is down, the session is not active.
Router1# show interfaces tunnel 0Tunnel0 is up, line protocol is upHardware is TunnelInternet address is 10.0.51.203/24MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,reliability 255/255, txload 103/255, rxload 110/255Encapsulation TUNNEL, loopback not setKeepalive not setTunnel source 10.0.149.203, destination 10.0.149.217Tunnel protocol/transport IPSEC/IP, key disabled, sequencing disabledTunnel TTL 255Checksumming of packets disabled, fast tunneling enabledTunnel transmit bandwidth 8000 (kbps)Tunnel receive bandwidth 8000 (kbps)Tunnel protection via IPSec (profile "P1")Last input never, output never, output hang neverLast clearing of "show interface" counters neverInput queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0Queueing strategy: fifoOutput queue: 0/0 (size/max)30 second input rate 13000 bits/sec, 34 packets/sec30 second output rate 36000 bits/sec, 34 packets/sec191320 packets input, 30129126 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort59968 packets output, 15369696 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 output buffer failures, 0 output buffers swapped outRouter1# show crypto sessionCrypto session current statusInterface: Tunnel0Session status: UP-ACTIVEPeer: 10.0.149.217 port 500IKE SA: local 10.0.149.203/500 remote 10.0.149.217/500 ActiveIPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0Active SAs: 4, origin: crypto mapRouter1# show ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set10.0.0.0/8 is variably subnetted, 4 subnets, 2 masksC 10.0.35.0/24 is directly connected, Ethernet3/3S 10.0.36.0/24 is directly connected, Tunnel0C 10.0.51.0/24 is directly connected, Tunnel0C 10.0.149.0/24 is directly connected, Ethernet3/0For more complete information about IPSec Virtual Tunnel Interface, refer to the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html
For IPSec Virtual Tunnel Interface configuration examples, see the "IPSec Virtual Tunnel Interfaces Configuration Examples" section.
Configuring VPNs in Crypto Connect Alternative Mode
Crypto connect alternative (CCA) mode allows you to configure IPSec VTI without having to configure VRFs. Although CCA requires that VRF mode be configured globally using the crypto engine mode vrf command, tunnels are terminated in the global context rather than in VRFs. CCA is introduced in Cisco IOS Release 12.2(33)SRA.
The configuration steps for CCA are similar to the steps for IPSec VTI shown in the "Configuring an IPSec Static Tunnel" section with the exception that the ip vrf forwarding vrf-name command and the tunnel vrf vrf-name command are not required.
For an example of IPSec Virtual Tunnel Interface configuration using CCA, see the "IPSec Virtual Tunnel Interfaces Configuration Examples" section.
Configuration Examples
This section provides examples of the following configurations:
•
•
•
•
•
•
•
•
•
Access Port in Crypto-Connect Mode Configuration Example
This section provides an example of the access port configuration with router 1 shown in Figure 29-2:
Router 1 (Access Port)
!hostname router-1!vlan 2,502!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key 12345 address 11.0.0.1!!crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac!crypto map testtag 10 ipsec-isakmpset peer 11.0.0.1set transform-set proposal1match address 101!!interface GigabitEthernet1/1!switch inside portip address 13.0.0.1 255.255.255.0!interface GigabitEthernet1/2!switch outside portswitchportswitchport access vlan 502switchport mode access!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,502,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunkinterface Vlan2!interface vlanip address 11.0.0.2 255.255.255.0crypto map testtagcrypto engine slot 4/0!interface Vlan502!port vlanno ip addresscrypto connect vlan 2!ip classlessip route 12.0.0.0 255.0.0.0 11.0.0.1!access-list 101 permit ip host 13.0.0.2 host 12.0.0.2!endRouter 2 (Access Port)
!hostname router-2!vlan 2,502!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key 12345 address 11.0.0.2!!crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac!crypto map testtag 10 ipsec-isakmpset peer 11.0.0.2set transform-set proposal1match address 101!!interface GigabitEthernet1/1!switch inside portip address 12.0.0.1 255.255.255.0!interface GigabitEthernet1/2!switch outside portswitchportswitchport access vlan 502switchport mode access!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,502,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2!interface vlanip address 11.0.0.1 255.255.255.0crypto map testtagcrypto engine slot 4/0!interface Vlan502!port vlanno ip addresscrypto connect vlan 2!ip classlessip route 13.0.0.0 255.0.0.0 11.0.0.2!access-list 101 permit ip host 12.0.0.2 host 13.0.0.2!endRouted Port in Crypto-Connect Mode Configuration Example
This section provides an example of the routed port configuration with router 1 shown in Figure 29-3:
Router 1 (Routed Port)
!hostname router-1!vlan 2!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key 12345 address 11.0.0.2!!crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac!crypto map testtag 10 ipsec-isakmpset peer 11.0.0.2set transform-set proposal1match address 101!!interface GigabitEthernet1/1!switch inside portip address 12.0.0.1 255.255.255.0!interface GigabitEthernet1/2!switch outside portno ip addresscrypto connect vlan 2!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2!interface vlanip address 11.0.0.1 255.255.255.0no mop enabledcrypto map testtagcrypto engine slot 4/0!ip classlessip route 13.0.0.0 255.0.0.0 11.0.0.2!access-list 101 permit ip host 12.0.0.2 host 13.0.0.2!endRouter 2 (Routed Port)
!hostname router-2!vlan 2!!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key 12345 address 11.0.0.1!!crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac!crypto map testtag 10 ipsec-isakmpset peer 11.0.0.1set transform-set proposal1match address 101!!interface GigabitEthernet1/1!switch inside portip address 13.0.0.1 255.255.255.0!interface GigabitEthernet1/2!switch outside portno ip addresscrypto connect vlan 2!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2!interface vlanip address 11.0.0.2 255.255.255.0no mop enabledcrypto map testtagcrypto engine slot 4/0!ip classlessip route 12.0.0.0 255.0.0.0 11.0.0.1!access-list 101 permit ip host 13.0.0.2 host 12.0.0.2!endTrunk Port in Crypto-Connect Mode Configuration Example
This section provides an example of the trunk port configuration with router 1 shown in Figure 29-4:
Router 1 (Trunk Port)
!hostname router-1!vlan 2,502!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key 12345 address 11.0.0.2!!crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac!crypto map testtag 10 ipsec-isakmpset peer 11.0.0.2set transform-set proposal1match address 101!!interface GigabitEthernet1/1!switch inside portip address 12.0.0.1 255.255.255.0!interface GigabitEthernet1/2!switch outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 502switchport mode trunk!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,502,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2!interface vlanip address 11.0.0.1 255.255.255.0crypto map testtagcrypto engine slot 4/0!interface Vlan 502!port vlanno ip addresscrypto connect vlan 2!ip classlessip route 13.0.0.0 255.0.0.0 11.0.0.2!access-list 101 permit ip host 12.0.0.2 host 13.0.0.2!endRouter 2 (Trunk Port)
!hostname router-2!vlan 2,502!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key 12345 address 11.0.0.1!!crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac!crypto map testtag 10 ipsec-isakmpset peer 11.0.0.1set transform-set proposal1match address 101!!interface GigabitEthernet1/1!switch inside portip address 13.0.0.1 255.255.255.0!interface GigabitEthernet1/2!switch outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 502switchport mode trunk!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,502,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunkinterface Vlan2!interface vlanip address 11.0.0.2 255.255.255.0crypto map testtagcrypto engine slot 4/0!interface Vlan502!port vlanno ip addresscrypto connect vlan 2!ip classlessip route 12.0.0.0 255.0.0.0 11.0.0.1!access-list 101 permit ip host 13.0.0.2 host 12.0.0.2!endIPSec VPN SPA Connections to WAN Interfaces Configuration Examples
The following are configuration examples of IPSec VPN SPA connections to WAN interfaces:
•
•
•
IPSec VPN SPA Connection to an ATM Port Adapter Configuration Example
The following example shows the configuration of an IPSec VPN SPA connection to an ATM port adapter:
!hostname router-1!crypto isakmp policy 1encr 3deshash md5authentication pre-sharecrypto isakmp key 12345 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set proposal esp-3des esp-sha-hmac!crypto map testtag_1 10 ipsec-isakmpset peer 11.0.0.2set transform-set proposalmatch address acl_1!interface GigabitEthernet1/1ip address 12.0.0.2 255.255.255.0!interface ATM2/0/0no ip addressatm clock INTERNALno atm enable-ilmi-trapno atm ilmi-keepalive!interface ATM2/0/0.1 point-to-pointatm pvc 20 0 20 aal5snapno atm enable-ilmi-trapcrypto connect vlan 2!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2ip address 11.0.0.1 255.255.255.0crypto map testtag_1crypto engine slot 4/0!ip classlessip route 13.0.0.1 255.255.255.255 11.0.0.2!ip access-list extended acl_1permit ip host 12.0.0.1 host 13.0.0.1!IPSec VPN SPA Connection to a POS Port Adapter Configuration Example
The following example shows the configuration of an IPSec VPN SPA connection to a POS port adapter:
!hostname router-1!crypto isakmp policy 1encr 3deshash md5authentication pre-sharecrypto isakmp key 12345 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set proposal esp-3des esp-sha-hmac!crypto map testtag_1 10 ipsec-isakmpset peer 11.0.0.2set transform-set proposalmatch address acl_1!interface GigabitEthernet1/1!switch inside portip address 12.0.0.2 255.255.255.0!interface POS2/0/0no ip addressencapsulation frame-relayclock source internal!interface POS2/0/0.1 point-to-pointframe-relay interface-dlci 16crypto connect vlan 2!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2ip address 11.0.0.1 255.255.255.0crypto map testtag_1crypto engine slot 4/0!ip classlessip route 13.0.0.1 255.255.255.255 11.0.0.2!ip access-list extended acl_1permit ip host 12.0.0.1 host 13.0.0.1IPSec VPN SPA Connection to a Serial Port Adapter Configuration Example
The following example shows the configuration of an IPSec VPN SPA connection to a serial port adapter:
!hostname router-1!controller T3 2/1/0t1 1 channel-group 0 timeslots 1t1 2 channel-group 0 timeslots 1t1 3 channel-group 0 timeslots 1t1 4 channel-group 0 timeslots 1t1 5 channel-group 0 timeslots 1t1 6 channel-group 0 timeslots 1t1 7 channel-group 0 timeslots 1t1 8 channel-group 0 timeslots 1t1 9 channel-group 0 timeslots 1t1 10 channel-group 0 timeslots 1t1 11 channel-group 0 timeslots 1t1 12 channel-group 0 timeslots 1t1 13 channel-group 0 timeslots 1t1 14 channel-group 0 timeslots 1t1 15 channel-group 0 timeslots 1t1 16 channel-group 0 timeslots 1t1 17 channel-group 0 timeslots 1t1 18 channel-group 0 timeslots 1t1 19 channel-group 0 timeslots 1t1 20 channel-group 0 timeslots 1t1 21 channel-group 0 timeslots 1t1 22 channel-group 0 timeslots 1t1 23 channel-group 0 timeslots 1t1 24 channel-group 0 timeslots 1t1 25 channel-group 0 timeslots 1t1 26 channel-group 0 timeslots 1t1 27 channel-group 0 timeslots 1t1 28 channel-group 0 timeslots 1!crypto isakmp policy 1encr 3deshash md5authentication pre-sharecrypto isakmp key 12345 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set proposal esp-3des esp-sha-hmac!crypto map testtag_1 10 ipsec-isakmpset peer 11.0.0.2set transform-set proposalmatch address acl_1!interface GigabitEthernet1/1!switch inside portip address 12.0.0.2 255.255.255.0!interface Serial2/1/0/1:0ip unnumbered Null0encapsulation pppno fair-queueno cdp enablecrypto connect vlan 2!!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2ip address 11.0.0.1 255.255.255.0crypto map testtag_1crypto engine slot 4/0!ip classlessip route 13.0.0.1 255.255.255.255 11.0.0.2!ip access-list extended acl_1permit ip host 12.0.0.1 host 13.0.0.1GRE Tunneling in Crypto-Connect Mode Configuration Example
This section provides an example of GRE tunneling configurations:
Router 1 (GRE Tunneling)
The following example shows the configuration of GRE tunneling for router 1:
!hostname router-1!vlan 2,502!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key 12345 address 11.0.0.2!!crypto ipsec transform-set proposal1 ah-md5-hmac!crypto map testtag 10 ipsec-isakmpset peer 11.0.0.2set transform-set proposal1match address 101!!!!interface Tunnel1ip address 1.0.0.1 255.255.255.0tunnel source Vlan2tunnel destination 11.0.0.2!interface GigabitEthernet1/1!switch inside portip address 12.0.0.1 255.255.255.0!interface GigabitEthernet1/2!switch outside portswitchportswitchport access vlan 502switchport mode access!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,502,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2ip address 11.0.0.1 255.255.255.0no mop enabledcrypto map testtagcrypto engine slot 4/0!interface Vlan502no ip addresscrypto connect vlan 2!!ip classlessip route 13.0.0.0 255.0.0.0 Tunnel1!!access-list 101 permit gre host 11.0.0.1 host 11.0.0.2!Router 2 (GRE Tunneling)
!hostname router-2!vlan 2,502!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key 12345 address 11.0.0.1!!crypto ipsec transform-set proposal1 ah-md5-hmac!crypto map testtag 10 ipsec-isakmpset peer 11.0.0.1set transform-set proposal1match address 101!!!!interface Tunnel1ip address 1.0.0.2 255.255.255.0tunnel source Vlan2tunnel destination 11.0.0.1!interface GigabitEthernet1/1!switch inside portip address 13.0.0.1 255.255.255.0!interface GigabitEthernet1/2!switch outside portswitchportswitchport access vlan 502switchport mode access!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,502,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2ip address 11.0.0.2 255.255.255.0no mop enabledcrypto map testtagcrypto engine slot 4/0!interface Vlan502no ip addresscrypto connect vlan 2!ip classlessip route 12.0.0.0 255.0.0.0 Tunnel1!access-list 101 permit gre host 11.0.0.2 host 11.0.0.1!GRE Takeover Criteria Configuration Examples
The following examples show how to configure the GRE takeover criteria:
•
•
•
GRE Takeover Criteria Global Configuration Example
The following example shows that the GRE takeover criteria has been set globally and the supervisor engine hardware or RP always does the GRE processing:
Router(config)# crypto engine gre supervisorGRE Takeover Criteria Tunnel Configuration Example
The following example shows that the GRE takeover criteria has been set individually for tunnel interface 3 and the IPSec VPN SPA always does the GRE processing for this tunnel:
Router(config)# interface tunnel 3Router(config-if)# crypto engine gre vpnbladeGRE Takeover Verification Example
The following example shows how to verify that the tunnel has been taken over by the IPSec VPN SPA:
Router(config)# show crypto vlan 100Interface VLAN 100 on IPSec Service Module port GigabitEthernet4/0/1 connected to POS8/0/0 with crypto map set MAP_TO_R2Tunnel1 is accelerated via IPSec SM in subslot 4/0The following example shows that the tunnel has not been taken over by the IPSec VPN SPA:
Router(config)# show crypto vlan 100Interface VLAN 100 on IPSec Service Module port GigabitEthernet4/0/1 connected to POS8/0/0 with crypto map set MAP_TO_R2IP Multicast over a GRE Tunnel Configuration Example
The following example shows how to configure IP multicast over GRE:
hostname router-1!vlan 2-1001!!crypto isakmp policy 1encr 3deshash md5authentication pre-sharecrypto isakmp key 12345 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set proposal esp-3des!crypto ipsec profile vpnprofset transform-set proposal!!crypto map cm_spoke1_1 10 ipsec-isakmpset peer 11.1.1.1set transform-set proposalmatch address spoke1_acl_1!!interface Tunnel1ip address 20.1.1.1 255.255.255.0ip mtu 9216ip pim sparse-modeip hold-time eigrp 1 3600tunnel source 1.0.1.1tunnel destination 11.1.1.1crypto engine slot 4/0!interface GigabitEthernet1/1!switch inside portmtu 9216ip address 50.1.1.1 255.0.0.0ip pim sparse-mode!interface GigabitEthernet1/2!switch outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,252,1002-1005switchport mode trunkmtu 9216!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,252,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2mtu 9216ip address 1.0.1.1 255.255.255.0crypto map cm_spoke1_1crypto engine slot 4/0!interface Vlan252mtu 9216no ip addresscrypto connect vlan 2!router eigrp 1network 20.1.1.0 0.0.0.255network 50.1.1.0 0.0.0.255no auto-summaryno eigrp log-neighbor-changes!ip classlessip route 11.1.1.0 255.255.255.0 1.0.1.2!ip pim bidir-enableip pim rp-address 50.1.1.1!ip access-list extended spoke1_acl_1permit gre host 1.0.1.1 host 11.1.1.1!VRF Mode Configuration Examples
The following sections provide examples of VRF mode configurations:
•
•
•
•
•
•
Note
VRF Mode Configuration Example 1 (Basic Configuration)
The following example shows a basic IPSec VPN SPA configuration using VRF mode:
Router 1 Configuration
hostname router-1!ip vrf ivrfrd 1000:1route-target export 1000:1route-target import 1000:1!crypto engine mode vrf!vlan 2,3!crypto keyring key0pre-shared-key address 11.0.0.2 key 12345!crypto isakmp policy 1encr 3deshash md5authentication pre-share!crypto isakmp profile prof1vrf ivrfkeyring key0match identity address 11.0.0.2 255.255.255.255!!crypto ipsec transform-set proposal1 esp-3des esp-sha-hmac!crypto map testtag local-address Vlan3crypto map testtag 10 ipsec-isakmpset peer 11.0.0.2set transform-set proposal1set isakmp-profile prof1match address 101!interface GigabitEthernet1/1!switch inside portip vrf forwarding ivrfip address 12.0.0.1 255.255.255.0!!interface GigabitEthernet1/2!switch outside portswitchportswitchport access vlan 3switchport mode access!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2ip vrf forwarding ivrfip address 13.0.0.252 255.255.255.0crypto map testtagcrypto engine slot 4/0 inside!interface Vlan3ip address 11.0.0.1 255.255.255.0crypto engine slot 4/0 outside!access-list 101 permit ip host 12.0.0.2 host 13.0.0.2Router 2 Configuration
hostname router-2!ip vrf ivrfrd 1000:1route-target export 1000:1route-target import 1000:1!crypto engine mode vrf!vlan 2,3!crypto keyring key0pre-shared-key address 11.0.0.1 key 12345!crypto isakmp policy 1encr 3deshash md5authentication pre-share!crypto isakmp profile prof1vrf ivrfkeyring key0match identity address 11.0.0.1 255.255.255.255!!crypto ipsec transform-set proposal1 esp-3des esp-sha-hmac!crypto map testtag local-address Vlan3crypto map testtag 10 ipsec-isakmpset peer 11.0.0.1set transform-set proposal1set isakmp-profile prof1match address 101!interface GigabitEthernet1/1!switch inside portip vrf forwarding ivrfip address 13.0.0.1 255.255.255.0!interface GigabitEthernet1/2!switch!switch outside portswitchportswitchport access vlan 3switchport mode access!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan2ip vrf forwarding ivrfip address 12.0.0.252 255.255.255.0crypto map testtagcrypto engine slot 4/0 inside!interface Vlan3ip address 11.0.0.2 255.255.255.0crypto engine slot 4/0 outside!access-list 101 permit ip host 13.0.0.2 host 12.0.0.2VRF Mode Configuration Example 2 (Remote Access Using Easy VPN)
The following examples show VRF mode configurations for remote access using Easy VPN, first using RADIUS authentication, then using local authentication:
Using RADIUS Authentication
aaa group server radius acs-vrf1server-private 192.1.1.251 auth-port 1812 acct-port 1813 key allegroip vrf forwarding vrf1!aaa authentication login test_list group acs-vrf1aaa authorization network test_list group acs-vrf1aaa accounting network test_list start-stop group acs-vrf1!ip vrf ivrfrd 1:1route-target export 1:1route-target import 1:1!!crypto isakmp policy 5encr 3desauthentication pre-sharegroup 2crypto isakmp client configuration group testkey worldpool pool1!crypto isakmp profile test_provrf ivrfmatch identity group testclient authentication list test_listisakmp authorization list test_listclient configuration address respondaccounting test_listcrypto ipsec transform-set t3 esp-3des esp-sha-hmac!crypto dynamic-map remote 1set transform-set t3set isakmp-profile test_proreverse-route!!crypto map map-ra local-address GigabitEthernet2/1crypto map map-ra 10 ipsec-isakmp dynamic remote!interface GigabitEthernet2/1mtu 9216ip address 120.0.0.254 255.255.255.0ip flow ingresslogging event link-statusmls qos trust ip-precedencecrypto engine slot 1/0 outside!interface GigabitEthernet1/0/1switchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,100,1002-1005switchport mode trunkmtu 9216mls qos trust ip-precedenceflowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet1/0/2switchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216mls qos trust ip-precedenceflowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan100ip vrf forwarding vrf1ip address 120.0.0.100 255.255.255.0no mop enabledcrypto map map-racrypto engine slot 1/0 insideip local pool pool1 100.0.1.1 100.0.5.250Using Local Authentication
username t1 password 0 ciscoaaa new-model!aaa authentication login test_list localaaa authorization network test_list local!aaa session-id common!ip vrf ivrfrd 1:2route-target export 1:2route-target import 1:2!crypto isakmp policy 5encr 3desauthentication pre-sharegroup 2!crypto isakmp client configuration group testkey worldpool pool1crypto isakmp profile test_provrf ivrfmatch identity group testclient authentication list test_listisakmp authorization list test_listclient configuration address respondaccounting test_listcrypto ipsec transform-set t3 esp-3des esp-sha-hmac!crypto dynamic-map remote 10set transform-set t3set isakmp-profile test_proreverse-route!!crypto map map-ra local-address GigabitEthernet2/1crypto map map-ra 11 ipsec-isakmp dynamic remote!!!interface GigabitEthernet2/1mtu 9216ip address 120.0.0.254 255.255.255.0ip flow ingresslogging event link-statusmls qos trust ip-precedencecrypto engine slot 1/0 outside!!interface GigabitEthernet1/0/1switchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,100,1002-1005switchport mode trunkmtu 9216mls qos trust ip-precedenceflowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet1/0/2switchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216mls qos trust ip-precedenceflowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan100ip vrf forwarding ivrfip address 120.0.0.100 255.255.255.0ip flow ingresscrypto map map-racrypto engine slot 1/0 inside!!ip local pool pool1 100.0.1.1 100.0.5.250VRF Mode Configuration Example 3 (PE)
The following example shows a VRF mode configuration for a PE:
!version 12.2service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionservice counters max age 10!hostname router-Alice!logging snmp-authfailenable password cisco!no aaa new-modelclock timezone pst -7ip subnet-zero!!no ip domain-lookup!ip vrf bluerd 300:10route-target export 300:10route-target import 300:10!ip vrf redrd 100:10route-target export 200:10route-target import 200:10!ip multicast-routingip multicast-routing vrf redmpls label protocol ldpmls ip multicast flow-stat-timer 9no mls flow ipno mls flow ipv6mls cef error action freeze!!!!!!!!crypto keyring testpre-shared-key address 10.1.1.2 key cisco!crypto isakmp policy 10encr 3desauthentication pre-sharecrypto isakmp key cisco address 192.168.32.2crypto isakmp key cisco address 11.1.1.2crypto isakmp key cisco address 192.168.31.2crypto isakmp keepalive 10!!crypto ipsec transform-set test esp-3des esp-md5-hmaccrypto ipsec transform-set repro esp-3des esp-sha-hmac!crypto ipsec profile redset transform-set test!crypto ipsec profile testset transform-set test!!crypto map repro 10 ipsec-isakmpset peer 192.168.32.2set transform-set repromatch address repro!crypto engine mode vrf!power redundancy-mode combinedspanning-tree mode pvstno spanning-tree optimize bpdu transmissiondiagnostic cns publish cisco.cns.device.diag_resultsdiagnostic cns subscribe cisco.cns.device.diag_commands!redundancymode ssomain-cpuauto-sync running-configauto-sync standard!vlan internal allocation policy ascendingvlan access-log ratelimit 2000!!interface Loopback0ip address 192.168.1.1 255.255.255.255!interface GigabitEthernet2/ip address 192.168.31.155.255.255.0crypto engine slot 4/0interface GigabitEthernet2/2no ip addressshutdown!...!interface GigabitEthernet2/16no ip addressshutdown!interface GigabitEthernet3/1no ip addressshutdown!interface GigabitEthernet3/2no ip addressshutdown!interface GigabitEthernet3/3no ip addressshutdown!interface GigabitEthernet3/4no ip addressshutdown!interface POS3/1ip address 192.168.32.1 255.255.255.0mls qos trust dscpclock source internalcrypto engine slot 4/0!interface POS3/2no ip addressshutdownmls qos trust dscp!interface POS3/3no ip addressshutdownmls qos trust dscp!interface POS3/4no ip addressshutdownmls qos trust dscp!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portno ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portno ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkspanning-tree portfast trunk!interface GigabitEthernet5/1no ip addressshutdown!interface GigabitEthernet5/2no ip addressshutdown!interface GigabitEthernet7/1ip address 17.8.15.1 255.255.0.0!interface GigabitEthernet7/2no ip addressshutdown!interface GigabitEthernet7/3no ip addressshutdown...!interface GigabitEthernet7/9no ip addressshutdown!interface GigabitEthernet7/10ip address 10.1.1.1 255.255.255.0crypto engine slot 4/0!interface GigabitEthernet7/11ip address 11.1.1.1 255.255.255.0crypto engine slot 4/0!interface GigabitEthernet7/12no ip addressshutdown...!interface GigabitEthernet7/19no ip addressshutdown!interface GigabitEthernet7/20ip address 192.168.30.1 255.255.255.0mpls label protocol ldptag-switching ip!interface GigabitEthernet7/21no ip addressshutdown...!interface GigabitEthernet7/41ip vrf forwarding redip address 192.168.41.1 255.255.255.0ip pim sparse-dense-mode!interface GigabitEthernet7/42no ip address...!interface GigabitEthernet7/48no ip addressshutdown!interface Vlan1no ip addressshutdown!interface Vlan32no ip addressno mop enabledcrypto map repro!interface Vlan100no ip addressno mop enabled!interface Vlan110no ip addressno mop enabled!router ospf 1log-adjacency-changespassive-interface GigabitEthernet7/10network 10.0.0.0 0.255.255.255 area 0network 192.168.1.0 0.0.0.255 area 0network 192.168.30.0 0.0.0.255 area 0!router ospf 10 vrf redlog-adjacency-changesredistribute bgp 1 subnetsredistribute rip subnetsnetwork 10.2.1.0 0.0.0.255 area 0!router ripversion 2!address-family ipv4 vrf redredistribute ospf 10 metric 10redistribute bgp 1 metric 10network 31.0.0.0network 32.0.0.0network 192.168.41.0no auto-summaryexit-address-family!router bgp 1no synchronizationbgp log-neighbor-changesneighbor 192.168.3.1 remote-as 1neighbor 192.168.3.1 update-source Loopback0no auto-summary!address-family vpnv4neighbor 192.168.3.1 activateneighbor 192.168.3.1 send-community extendedexit-address-family!address-family ipv4 vrf redredistribute ospf 10redistribute ripno auto-summaryno synchronizationexit-address-family!address-family ipv4 vrf blueneighbor 11.2.1.2 remote-as 65001neighbor 11.2.1.2 activateno auto-summaryno synchronizationnetwork 11.2.1.0 mask 255.255.255.0exit-address-family!ip classlessip route 0.0.0.0 0.0.0.0 17.8.0.1ip route 192.168.9.0 255.255.255.0 Tunnel32ip route 192.168.43.0 255.255.255.0 Tunnel32no ip http server!!!ip access-list extended repropermit gre host 192.168.32.1 host 192.168.32.2ip access-list extended to2651ip access-list extended to3745ip access-list extended to7609!access-list 199 permit ip host 10.1.1.2 host 192.168.6.1!!!control-plane!!!dial-peer cor custom!!!!line con 0exec-timeout 0 0line vty 0 4login!!endVRF Mode Configuration Example 4 (CE)
The following example shows a VRF mode configuration for a CE:
!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice counters max age 10!hostname router-Bobby!enable password cisco!no aaa new-modelclock timezone pst -7ip subnet-zero!!!ip multicast-routing!!!crypto isakmp policy 10encr 3desauthentication pre-sharecrypto isakmp key cisco address 192.168.32.1crypto isakmp key cisco address 192.168.31.1!!crypto ipsec transform-set repro esp-3des esp-md5-hmaccrypto ipsec transform-set test esp-3des esp-md5-hmac!crypto ipsec profile testset transform-set test!!crypto map repro 10 ipsec-isakmpset peer 192.168.32.1set transform-set repromatch address repro!crypto map test 10 ipsec-isakmpset peer 192.168.31.1set transform-set testmatch address tope!spanning-tree mode pvstspanning-tree extend system-iddiagnostic cns publish cisco.cns.device.diag_resultsdiagnostic cns subscribe cisco.cns.device.diag_commands!redundancymode ssomain-cpuauto-sync running-config!vlan internal allocation policy ascending!!interface Loopback0ip address 192.168.9.1 255.255.255.0!!interface GigabitEthernet1/1!switch inside portno ip addressshutdown!interface GigabitEthernet1/2!switch outside portno ip addressshutdown!interface GigabitEthernet2/1no ip addresscrypto connect vlan 31!interface GigabitEthernet2/2no ip addressshutdown...!interface GigabitEthernet2/16no ip addressshutdown!interface GigabitEthernet3/1no ip addressshutdownflowcontrol receive onflowcontrol send off!interface GigabitEthernet3/2no ip addressshutdownflowcontrol receive onflowcontrol send off!interface GigabitEthernet3/3no ip addressshutdown!interface GigabitEthernet3/4no ip addressshutdown!interface POS3/1no ip addressmls qos trust dscpcrypto connect vlan 32!interface POS3/2no ip addressshutdownmls qos trust dscp!interface POS3/3no ip addressshutdownmls qos trust dscp!interface POS3/4no ip addressshutdownmls qos trust dscp!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portno ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,31,32,1002-1005switchport mode trunkspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portno ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkspanning-tree portfast trunk!interface GigabitEthernet7/1ip address 17.8.15.9 255.255.0.0!interface GigabitEthernet7/2no ip addressshutdown...!interface GigabitEthernet7/42no ip addressshutdown!interface GigabitEthernet7/43ip address 192.168.43.1 255.255.255.0ip pim sparse-dense-mode!interface GigabitEthernet7/44no ip addressshutdown!interface GigabitEthernet7/45no ip addressshutdown!interface GigabitEthernet7/46no ip addressshutdown!interface GigabitEthernet7/47no ip addressshutdown!interface GigabitEthernet7/48no ip addressshutdown!interface Vlan1no ip addressshutdown!interface Vlan31ip address 192.168.31.2 255.255.255.0no mop enabledcrypto map testcrypto engine slot 4/0!interface Vlan32ip address 192.168.32.2 255.255.255.0no mop enabledcrypto map reprocrypto engine slot 4/0!router ripversion 2network 31.0.0.0network 32.0.0.0network 192.168.9.0network 192.168.43.0distribute-list 1 outno auto-summary!ip classlessip route 192.168.6.0 255.255.255.0 Tunnel32no ip http server!!!ip access-list extended repropermit gre host 192.168.32.2 host 192.168.32.1ip access-list extended topepermit gre host 192.168.31.2 host 192.168.31.1!access-list 1 permit 192.168.9.0 0.0.0.255access-list 1 permit 192.168.43.0 0.0.0.255!!!dial-peer cor custom!!!!line con 0exec-timeout 0 0line vty 0 4no logintransport input lat pad mop telnet rlogin udptn nasi!!endVRF Mode Configuration Example 5 (Tunnel Protection)
The following example shows a VRF mode configuration with tunnel protection:
ip vrf cokerd 1000:1route-target export 1000:1route-target import 1000:1!crypto keyring key1pre-shared-key address 100.1.1.1 key happy-eddie!crypto isakmp policy 1authentication pre-sharecrypto isakmp profile prof1keyring key1match identity address 100.1.1.1 255.255.255.255!crypto ipsec transform-set TR esp-des esp-md5-hmac!crypto ipsec profile tpset transform-set TRset isakmp-profile prof1!!crypto engine mode vrf!interface Tunnel1ip vrf forwarding cokeip address 10.1.1.254 255.255.255.0tunnel source 172.1.1.1tunnel destination 100.1.1.1tunnel protection ipsec profile tpcrypto engine slot 4/0 inside!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkcdp enablespanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portno ip addressflowcontrol receive onflowcontrol send offswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkcdp enablespanning-tree portfast trunk!interface GigabitEthernet6/1ip address 172.1.1.1 255.255.255.0crypto engine slot 4/0 outside!interface FastEthernet7/13ip vrf forwarding cokeip address 13.1.1.2 255.255.255.0!ip route 100.1.1.1 255.255.255.255 Tunnel1VRF Mode Configuration Example 6 (Chassis-to-Chassis Stateless Failover)
The following example shows a VRF mode configuration with HSRP chassis-to-chassis stateless failover with crypto maps:
!hostname router-1!ip vrf ivrfrd 1000:1route-target export 1000:1route-target import 1000:1!crypto engine mode vrf!vlan 2,3!crypto keyring key1pre-shared-key address 14.0.1.1 key 12345!crypto isakmp policy 1encr 3deshash md5authentication pre-sharecrypto isakmp keepalive 10crypto isakmp profile ivrfvrf ivrfkeyring key1match identity address 14.0.1.1 255.255.255.255!crypto ipsec transform-set ts esp-3des esp-sha-hmac!crypto map map_vrf_1 local-address Vlan3crypto map map_vrf_1 10 ipsec-isakmpset peer 14.0.1.1set transform-set tsset isakmp-profile ivrfmatch address acl_1!interface GigabitEthernet1/1!switch inside portip address 13.254.254.1 255.255.255.0!interface GigabitEthernet1/1.1encapsulation dot1Q 2000ip vrf forwarding ivrfip address 13.254.254.1 255.0.0.0!interface GigabitEthernet1/2!switch outside portswitchportswitchport access vlan 3switchport mode access!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,2,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface Vlan3ip address 15.0.0.2 255.255.255.0standby delay minimum 0 reload 0standby 1 ip 15.0.0.100standby 1 timers msec 100 1standby 1 priority 105standby 1 preemptstandby 1 name std-hsrpstandby 1 track GigabitEthernet1/2crypto engine slot 4/0 outside!interface Vlan2ip vrf forwarding ivrfip address 15.0.0.252 255.255.255.0crypto map map_vrf_1 redundancy std-hsrpcrypto engine slot 4/0 inside!ip classlessip route 12.0.0.0 255.0.0.0 15.0.0.1ip route 13.0.0.0 255.0.0.0 13.254.254.2ip route 14.0.0.0 255.0.0.0 15.0.0.1ip route 223.255.254.0 255.255.255.0 17.1.0.1ip route vrf ivrf 12.0.0.1 255.255.255.255 15.0.0.1!ip access-list extended acl_1permit ip host 13.0.0.1 host 12.0.0.1!!arp vrf ivrf 13.0.0.1 0000.0000.2222 ARPAIPSec Virtual Tunnel Interfaces Configuration Examples
The following examples show VRF mode configurations that use VTI:
•
•
IPSec Virtual Tunnel Interface Configuration Example 1 (FVRF)
The following example configuration shows an FVRF VTI configuration:
hostname router-1!!ip vrf fvrfrd 2000:1route-target export 2000:1route-target import 2000:1!ip vrf ivrfrd 1000:1route-target export 1000:1route-target import 1000:1!crypto engine mode vrf!crypto keyring key1 vrf fvrfpre-shared-key address 11.1.1.1 key cisco47!crypto isakmp policy 1encr 3deshash md5authentication pre-share!crypto isakmp profile isa_profkeyring key1match identity address 11.1.1.1 255.255.255.255 fvrfcrypto ipsec transform-set proposal esp-3des esp-sha-hmac!!crypto ipsec profile vpnprofset transform-set proposalset isakmp-profile isa_prof!!!!!interface Tunnel1ip vrf forwarding ivrfip address 20.1.1.1 255.255.255.0ip pim sparse-modeip ospf network broadcastip ospf priority 2tunnel source 1.0.0.1tunnel destination 11.1.1.1tunnel mode ipsec ipv4tunnel vrf fvrftunnel protection ipsec profile vpnprofcrypto engine slot 4/0 inside!interface Loopback1ip vrf forwarding fvrfip address 1.0.0.1 255.255.255.0!interface GigabitEthernet1/1!switch inside portip vrf forwarding ivrfip address 50.0.0.1 255.255.255.0!interface GigabitEthernet1/2!switch outside portip vrf forwarding fvrfip address 9.1.1.1 255.255.255.0crypto engine slot 4/0 outside!interface GigabitEthernet4/0/1!IPSec VPN SPA inside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet4/0/2!IPSec VPN SPA outside portswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!router ospf 1 vrf ivrflog-adjacency-changesnetwork 20.1.1.0 0.0.0.255 area 0network 21.1.1.0 0.0.0.255 area 0network 50.0.0.0 0.0.0.255 area 0!ip classlessip route vrf fvrf 11.1.1.0 255.255.255.0 9.1.1.254IPSec Virtual Tunnel Interface Configuration Example 2 (CCA)
The following example configuration shows IPSec VTI configuration using crypto connect alternative (CCA) mode:
!crypto engine mode vrf!crypto keyring key1pre-shared-key address 14.0.0.2 key 12345!crypto isakmp policy 1encr 3deshash md5authentication pre-share!crypto isakmp profile prof1keyring key1match identity address 14.0.0.2 255.255.255.255!crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac!crypto ipsec profile prof1set transform-set t-set1set isakmp-profile prof1!!interface Tunnel1ip address 122.0.0.2 255.255.255.0tunnel source 15.0.0.2tunnel destination 14.0.0.2tunnel mode ipsec ipv4tunnel protection ipsec profile prof1crypto engine slot 2/0 inside!interface Loopback2ip address 15.0.0.2 255.255.255.0!interface GigabitEthernet1/3ip address 172.2.1.1 255.255.255.0crypto engine slot 2/0 outside!interface GigabitEthernet2/0/1switchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!interface GigabitEthernet2/0/2switchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,1002-1005switchport mode trunkmtu 9216flowcontrol receive onflowcontrol send offspanning-tree portfast trunk!!ip route 14.0.0.0 255.0.0.0 172.2.1.2ip route 172.0.0.0 255.0.0.0 172.2.1.2
