VRF Aware IPSec on VRF Lite

Posted by

This guide is the continuation of VRF Lite but with the application of IPSec VPN. I suggest that you read the VRF Lite tutorial before reading this if you don’t know about VRF.

In this tutorial will guide you through on how to configure your Cisco device for VRF aware IPSec. Before you configure your Cisco device for VRF-aware IPSec, you need to virtualize your Cisco device by implementing VRF. Using the VRF aware IPSec feature, you can map IPSec tunnels to Virtual Routing and Forwarding (VRF) instances.

The example provided in this guide will use VRF Lite (it means VRF without MPLS). The common application of this is in the managed services environment where you want to isolate each customer.  It is a secure implementation because each customer doesn’t see traffic from another customers.

The main difference in configuring VRF aware site-to-site VPN on VRF-lite is the introduction of Crypto Keyring. All other site-to-site VPN configurations are the same.

Configure Crypto Keyrings.
A crypto keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys.

crypto keyring keyring-name vrf fvrf-name
pre-shared-key address ip-address key key

Take a look at the complete running configuration on R1 and you will notice the slight discrepancy.


Screenshots are provided below as well. Just click on the album below.

[slidepress thickbox=’vrf-aware-ipsec’ title=’VRF-aware IPSec’ image=’http://rejohn.cuar.es/ssp/thumbnails/network_diagram_thumb.jpg’]


  1. Pingback: ERIC
  2. Good info. Thanks.
    What about having a single global interface for R1 used for IPSEC peerings? Is that possible?

    Say R1 use at Global space (no vrf), then R2 and R3 will peer with this IP (dynamically) then map to a vrf depending on the pre-shared keys.

    Any comments/solutions?


Leave a Reply

Your email address will not be published. Required fields are marked *