MPLS VRF-AWARE IPSEC

Hi,

I am trying to configure PE IPSEC with a CE and it dosen't works. Can you please help me ? thank you very much for your help

this is my lab Test:

 

R0-----Ipsec------R1(PE-IPSEC)---------R2(PE)-----------R3

 

R0: is the CE that makes ipsec with the PE router in the vrf name VPN

R1: is the PE Ipsec router

R2: is another PE

R3: is a CE router that is in the vrf custB

 

R1: This is the PE-Ipsec router config:

--------------------------------------

!
! Last configuration change at 14:44:09 UTC Sun Mar 29 2009
! NVRAM config last updated at 14:52:35 UTC Sun Mar 29 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1-7200
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
ip vrf VPN
 rd 1:10
 route-target export 1:10
 route-target import 1:10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto keyring VPN vrf VPN
  pre-shared-key address 18.1.2.2 key VPN
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp profile VPN
   vrf VPN
   keyring VPN
   match identity address 18.1.2.2 255.255.255.255 VPN
!
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
!
crypto map crypmap 1 ipsec-isakmp
 set peer 18.1.2.2
 set transform-set VPN
 set isakmp-profile VPN
 match address 101
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.32 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip vrf forwarding VPN
 ip address 18.1.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map crypmap
!
interface FastEthernet1/1
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
 mpls label protocol ldp
 mpls ip
!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 neighbor 192.168.1.33 remote-as 65001
 neighbor 192.168.1.33 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
 neighbor 192.168.1.33 activate
 neighbor 192.168.1.33 send-community both
 neighbor 192.168.1.33 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf VPN
 redistribute static
 no synchronization
 exit-address-family
!
ip route 192.16.1.33 255.255.255.255 192.168.2.2
ip route 192.168.1.33 255.255.255.255 192.168.2.2
ip route vrf VPN 200.200.200.200 255.255.255.255 18.1.2.2
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 101 permit ip host 200.200.200.200 host 100.100.100.100
access-list 101 permit ip host 100.100.100.100 host 200.200.200.200
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end

 

 

 

R0: This is the CE router config:

--------------------------------------

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R0
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key VPN address 18.1.2.1
!
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
 set peer 18.1.2.1
 set transform-set VPN
 match address 101
!
!
!
!
!
!
!
interface Loopback0
 ip address 200.200.200.200 255.255.255.255
!
interface FastEthernet0/0
 ip address 18.1.2.2 255.255.255.0
 duplex auto
 speed auto
 crypto map VPN
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 18.1.2.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip host 200.200.200.200 host 100.100.100.100
access-list 101 permit ip host 100.100.100.100 host 200.200.200.200
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

 

R2: This is the PE router config:

--------------------------------------

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip vrf custB
 rd 2:20
 route-target export 1:10
 route-target import 1:10
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.33 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
 mpls label protocol ldp
 mpls ip
!
interface FastEthernet0/1
 ip vrf forwarding custB
 ip address 19.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 neighbor 192.168.1.32 remote-as 65001
 neighbor 192.168.1.32 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 192.168.1.32 activate
  neighbor 192.168.1.32 send-community both
  neighbor 192.168.1.32 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf custB
  redistribute static
  no synchronization
 exit-address-family
!
ip forward-protocol nd
ip route 192.168.1.32 255.255.255.255 192.168.2.1
ip route vrf custB 100.100.100.100 255.255.255.255 19.1.2.2
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

 

R3: This is the CE router config:

--------------------------------------

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 100.100.100.100 255.255.255.255
!
interface FastEthernet0/0
 ip address 19.1.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 19.1.2.1
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

Sign In or Register to comment.