Thursday, December 3, 2020

VRF-Lite IPSec Aware

 VRF-Lite Configuration With IPSec




==================R1========================
!
ip vrf CUST-A
ip vrf CUST-B
!
interface Ethernet0/0
 ip vrf forwarding CUST-A
 ip address 192.168.13.1 255.255.255.0
!
interface Ethernet1/0
 ip vrf forwarding CUST-A
 ip address 192.168.12.1 255.255.255.0
router eigrp 10
 !
 address-family ipv4 vrf CUST-A autonomous-system 100
  no auto
  network 192.168.12.0
  network 192.168.13.0
 exit-address-family
================R2===================
!
ip vrf CUST-A
ip vrf CUST-B
!
interface Ethernet0/0
 ip vrf forwarding CUST-A
 ip address 192.168.24.2 255.255.255.0
!
interface Ethernet1/0
 ip vrf forwarding CUST-A
 ip address 192.168.12.2 255.255.255.0
 !
router eigrp 10
 !
 address-family ipv4 vrf CUST-A autonomous-system 100
  no auto
  network 192.168.12.0
  network 192.168.24.0
 exit-address-family
==================R3===============
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
!
interface Ethernet0/0
 ip address 192.168.13.3 255.255.255.0
!
router eigrp 100
 no auto
 network 3.0.0.0
 network 192.168.13.0
==============R4================
!
interface Ethernet0/0
 ip address 192.168.24.4 255.255.255.0
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
!
router eigrp 100
 no auto
 network 4.0.0.0
 network 192.168.24.0


===============R1 Site-2-Site=======VRF Aware===================
! Phase1 Policy
crypto isakmp policy 10
 auth pre-share
 hash md5
 enc 3des
 group 2

! Create Key ring
crypto keyring KEY-1 vrf CUST-A
 pre-shared-key address 192.168.12.2 key cisco123

! Create Isakmp profile
crypto isakmp profile PROF-A
 match identity address 192.168.12.2 255.255.255.255 CUST-A
 keyring KEY-1
 vrf CUST-A

! Transform Set
crypto ipsec transform-set TSET esp-3des esp-md5

!
access-list 101 permit ip 3.3.3.0 0.0.0.255 4.4.4.0 0.0.0.255

! Crypto MAP
crypto map CUST-A 10 ipsec-isakmp
 match address 101
 set peer 192.168.12.2
 set transform-set TSET
crypto map CUST-A isakmp-profile PROF-A

! Apply to the interface
int eth1/0
 crypto map CUST-A
===============R2 Site-2-Site=======VRF Aware===================
! Phase1 Policy
crypto isakmp policy 10
 auth pre-share
 hash md5
 enc 3des
 group 2

! Create Key ring
crypto keyring KEY-1 vrf CUST-A
 pre-shared-key address 192.168.12.1 key cisco123

! Create Isakmp profile
crypto isakmp profile PROF-A
 match identity address 192.168.12.1 255.255.255.255 CUST-A
 keyring KEY-1
 vrf CUST-A

! Transform Set
crypto ipsec transform-set TSET esp-3des esp-md5

!
access-list 101 permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255

! Crypto MAP
crypto map CUST-A 10 ipsec-isakmp
 match address 101
 set peer 192.168.12.1
 set transform-set TSET
crypto map CUST-A isakmp-profile PROF-A

! Apply to the interface
int eth1/0
 crypto map CUST-A


Now ping from R4 to R3


We see packets are getting encrypted




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)