Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Note:
For this task, you can use the configuration files that resulted from completing the
previous task, or you can load the Section 7 Initial Configuration Files to initialize your
rack.
Task
Configure a VRF named FVRF-PROVIDER and assign VLAN18/VLAN38 interfaces of R1 and R3 to it.
Ensure that the IPsec tunnel from the previous task is functional.
Overview
This is a crypto-map-based VRF-aware IPsec where the FVRF is non-global, so it is configured at
crypto keyring level and match identity setting from the ISAKMP profile.
Configuration
For the following configuration to be functional, you must first remove the ISAKMP profile and crypto
keyring configured in the previous task.
R1:
ip cef
ip vrf IVRF-CLIENT
ip vrf FVRF-PROVIDER
!
crypto keyring FVRF vrf FVRF-PROVIDER
pre-shared-key address 136.1.38.3 key CISCO
!
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
!
crypto isakmp profile IVRF
vrf IVRF-CLIENT
keyring FVRF
match identity address 136.1.38.3 255.255.255.255 FVRF-PROVIDER
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
ip access-list extended LO1_TO_LO3
permit ip host 150.1.1.1 host 150.1.3.3
!
crypto map VPN 5 ipsec-isakmp
set peer 136.1.38.3
set transform-set 3DES_MD5
set isakmp-profile IVRF
match address LO1_TO_LO3
reverse-route remote-peer 136.1.38.3 static
!
interface GigabitEthernet0/0
ip vrf forwarding FVRF-PROVIDER
ip address 136.1.18.1 255.255.255.0
crypto map VPN
!
interface Loopback0
ip vrf forwarding IVRF-CLIENT
ip address 150.1.1.1 255.255.255.255
!
ip route vrf FVRF-PROVIDER 0.0.0.0 0.0.0.0 136.1.18.8
R3:
ip cef
ip vrf IVRF-CLIENT
ip vrf FVRF-PROVIDER
!
crypto keyring FVRF vrf FVRF-PROVIDER
pre-shared-key address 136.1.18.1 key CISCO
!
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
!
crypto isakmp profile IVRF
vrf IVRF-CLIENT
keyring FVRF
match identity address 136.1.18.1 255.255.255.255 FVRF-PROVIDER
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
ip access-list extended LO3_TO_LO1
permit ip host 150.1.3.3 host 150.1.1.1
!
crypto map VPN 5 ipsec-isakmp
set peer 136.1.18.1
set transform-set 3DES_MD5
set isakmp-profile IVRF
match address LO3_TO_LO1
!
interface FastEthernet0/0
ip vrf forwarding FVRF-PROVIDER
ip address 136.1.38.3 255.255.255.0
crypto map VPN
!
interface Loopback0
ip vrf forwarding IVRF-CLIENT
ip address 150.1.3.3 255.255.255.255
!
ip route vrf FVRF-PROVIDER 0.0.0.0 0.0.0.0 136.1.38.8
ip route vrf IVRF-CLIENT 0.0.0.0 0.0.0.0 FastEthernet0/0 136.1.38.8
Verification
Generate interesting traffic to trigger the IPsec process.