This guide is the continuation of VRF Lite but with the application of IPSec VPN. I suggest that you read the VRF Lite tutorial before reading this if you don’t know about VRF.
In this tutorial will guide you through on how to configure your Cisco device for VRF aware IPSec. Before you configure your Cisco device for VRF-aware IPSec, you need to virtualize your Cisco device by implementing VRF. Using the VRF aware IPSec feature, you can map IPSec tunnels to Virtual Routing and Forwarding (VRF) instances.
The example provided in this guide will use VRF Lite (it means VRF without MPLS). The common application of this is in the managed services environment where you want to isolate each customer. It is a secure implementation because each customer doesn’t see traffic from another customers.
The main difference in configuring VRF aware site-to-site VPN on VRF-lite is the introduction of Crypto Keyring. All other site-to-site VPN configurations are the same.
Configure Crypto Keyrings.
A crypto keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys.
crypto keyring keyring-name vrf fvrf-name
pre-shared-key address ip-address key key
Take a look at the complete running configuration on R1 and you will notice the slight discrepancy.
Screenshots are provided below as well. Just click on the album below.
[slidepress thickbox=’vrf-aware-ipsec’ title=’VRF-aware IPSec’ image=’http://rejohn.cuar.es/ssp/thumbnails/network_diagram_thumb.jpg’]