Challenge: Can GETVPN support virtual-templates, VRFs and fvrf/ivrf?


I think I am really close to a solution, but the fvrf/ivrf seem to be all one or the other.

The set up is GETVPN-client connects to two networks, one in VRF RED, one on VRF WHITE on separate interfaces. Gi0/0 connects to a transparent firewall and has a default route out to another router.


Gi0/0 is in VRF FRVF and the KS (GETVPN-S1) is reachable over this VRF. ICMP and UDP/848 allowed through the transparent ASA and intermediate ASAs, and I can ping from the GM to the KS using VRF FVRF, so routing and firewalls are not the problem.

So far my config is:
GETVPN-Client#sh run int gi0/0 | b interf
interface GigabitEthernet0/0
 ip vrf forwarding FVRF
 ip address 10.1.2.254 255.255.255.0
end
GETVPN-Client#sh run int lo 103 | b inter
interface Loopback103
 ip vrf forwarding RED
 ip address 10.1.103.1 255.255.255.0
 crypto map G1-RED
end
GETVPN-Client#sh run int virtual-tem 3 | b inter
interface Virtual-Template3 type tunnel
 ip vrf forwarding RED
 ip unnumbered Loopback103
 tunnel source Loopback103
 tunnel mode ipsec ipv4
 tunnel destination 10.1.9.103
 tunnel vrf FVRF
 tunnel protection ipsec profile GET-IPS-Profile-RED
end
GETVPN-Client#sh run | s crypto
crypto keyring RED-G1 vrf RED 
  pre-shared-key address 10.1.9.103 key CCIE
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp policy 20
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp keepalive 10
crypto isakmp profile GET-ISAK-Profile-RED
   vrf RED
   keyring RED-G1
   match identity address 10.1.9.103 255.255.255.255 FVRF
   virtual-template 3
crypto ipsec transform-set GET-TS esp-3des esp-sha-hmac 
 mode transport
crypto ipsec profile GET-IPS-Profile-RED
 set group G1-RED
 set transform-set GET-TS 
 set isakmp-profile GET-ISAK-Profile-RED
crypto gdoi group G1-RED
 identity number 103
 server address ipv4 10.1.9.103
crypto map G1-RED isakmp-profile GET-ISAK-Profile-RED
crypto map G1-RED 103 gdoi 
 set group G1-RED
 crypto map G1-RED
GETVPN-Client#
GETVPN-Client#sh run | i ip route
ip route vrf FVRF 0.0.0.0 0.0.0.0 10.1.2.1
GETVPN-Client#

ip vrf FVRF
 rd 100:100
ip vrf RED
 rd 103:103
ip vrf WHITE
 rd 104:104
Whatever I do, the GDOI registration wants to use either RED/RED for the fvrf/ivrf, or FVRF/FVRF.. for example:
GETVPN-Client(config-gkm-group)#do sh cry gdo | i ivr              
       fvrf/ivrf             : FVRF/FVRF
GETVPN-Client(config-gkm-group)#no client registration interface gi0/0
GETVPN-Client(config-gkm-group)#do sh cry gdo | i ivr                 
       fvrf/ivrf             : RED/RED
GETVPN-Client(config-gkm-group)#
GETVPN-Client(config-if)#tunnel sou gi0/0
GETVPN-Client(config-if)#
GETVPN-Client(config-if)#do sh cry gdoi | i ivrf
       fvrf/ivrf             : RED/RED
GETVPN-Client(config-if)#crypto gdoi group G1-RED
GETVPN-Client(config-gkm-group)#client reg in gi0/0
GETVPN-Client(config-gkm-group)#do sh cry gdoi | i ivrf 
       fvrf/ivrf             : FVRF/FVRF
GETVPN-Client(config-gkm-group)#
I am sure it can be done, and what I need is for the fvrf to be FVRF and the ivrf to be RED, but I am having a really hard time finding supporting documentation - most have sub-interfaces on the Gi0/0 interface for the different VRFs... Been trying this since Saturday night! I am pretty sure I am only one "no" command away from a solution, but it's baffling me!

Hoping someone might have an idea!

Let's make it interesting, without a) creating sub-interfaces for the VRFs, or b) making other IP addressing/topological changes, see if you can get this to work, you won't need to replicate the entire setup, in fact it only needs two routers LON-1 with gi0/1 set with the IP address 10.1.2.1/24, and GETVPN-Client with Gi0/0 in VRF FVRF with the IP address 10.1.2.254, and a static default route to LON-1.

The first correct answer/solution will win a £5 Amazon voucher!

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »