CCIE Security V4 Technology Labs Section 7:

Confidentiality and Secure Access

VRF-Aware IPsec Using Crypto Maps and

Custom FVRF
Last updated: May 20, 2013

Note:
For this task, you can use the configuration files that resulted from completing the
previous task, or you can load the Section 7 Initial Configuration Files to initialize your
rack.

Task
Configure a VRF named FVRF-PROVIDER and assign VLAN18/VLAN38 interfaces of R1 and R3 to it.
Ensure that the IPsec tunnel from the previous task is functional.

Overview
This is a crypto-map-based VRF-aware IPsec where the FVRF is non-global, so it is configured at
crypto keyring level and match identity setting from the ISAKMP profile.

Configuration
For the following configuration to be functional, you must first remove the ISAKMP profile and crypto
keyring configured in the previous task.

R1:

ip cef
ip vrf IVRF-CLIENT
ip vrf FVRF-PROVIDER
!
crypto keyring FVRF vrf FVRF-PROVIDER
pre-shared-key address 136.1.38.3 key CISCO
!
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
!
crypto isakmp profile IVRF
vrf IVRF-CLIENT
keyring FVRF
match identity address 136.1.38.3 255.255.255.255 FVRF-PROVIDER
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
ip access-list extended LO1_TO_LO3
permit ip host 150.1.1.1 host 150.1.3.3
!
crypto map VPN 5 ipsec-isakmp
set peer 136.1.38.3
set transform-set 3DES_MD5
set isakmp-profile IVRF
match address LO1_TO_LO3
reverse-route remote-peer 136.1.38.3 static
!
interface GigabitEthernet0/0
ip vrf forwarding FVRF-PROVIDER
ip address 136.1.18.1 255.255.255.0
crypto map VPN
!
interface Loopback0
ip vrf forwarding IVRF-CLIENT
ip address 150.1.1.1 255.255.255.255
!
ip route vrf FVRF-PROVIDER 0.0.0.0 0.0.0.0 136.1.18.8

R3:

ip cef
ip vrf IVRF-CLIENT
ip vrf FVRF-PROVIDER
!
crypto keyring FVRF vrf FVRF-PROVIDER
pre-shared-key address 136.1.18.1 key CISCO
!
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
!
crypto isakmp profile IVRF
vrf IVRF-CLIENT
keyring FVRF
match identity address 136.1.18.1 255.255.255.255 FVRF-PROVIDER
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
ip access-list extended LO3_TO_LO1
permit ip host 150.1.3.3 host 150.1.1.1
!
crypto map VPN 5 ipsec-isakmp
set peer 136.1.18.1
set transform-set 3DES_MD5
set isakmp-profile IVRF
match address LO3_TO_LO1
!
interface FastEthernet0/0
ip vrf forwarding FVRF-PROVIDER
ip address 136.1.38.3 255.255.255.0
crypto map VPN
!
interface Loopback0
ip vrf forwarding IVRF-CLIENT
ip address 150.1.3.3 255.255.255.255
!
ip route vrf FVRF-PROVIDER 0.0.0.0 0.0.0.0 136.1.38.8
ip route vrf IVRF-CLIENT 0.0.0.0 0.0.0.0 FastEthernet0/0 136.1.38.8

Verification
Generate interesting traffic to trigger the IPsec process.

Rack1R3#ping vrf IVRF-CLIENT 150.1.1.1 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Verify the IPsec session at both FVRF/IVRF levels.

Rack1R1#show crypto session fvrf FVRF-PROVIDER

Crypto session current status
Interface: GigabitEthernet0/0
Profile: IVRF
Session status: UP-ACTIVE
Peer: 136.1.38.3 port 500
IKEv1 SA: local 136.1.18.1/500 remote 136.1.38.3/500 Active
IPSEC FLOW: permit ip host 150.1.1.1 host 150.1.3.3
Active SAs: 2, origin: crypto map
!
!
Rack1R1#show crypto session ivrf IVRF-CLIENT
Crypto session current status
Interface: GigabitEthernet0/0
Profile: IVRF
Session status: UP-ACTIVE
Peer: 136.1.38.3 port 500
IKEv1 SA: local 136.1.18.1/500 remote 136.1.38.3/500 Active
IPSEC FLOW: permit ip host 150.1.1.1 host 150.1.3.3
Active SAs: 2, origin: crypto map