Study Notes – Basic Front-Door VRF with Non-Default iVRF (ISAKMP PSK, GRE)

Posted in Study Notes, technical

This is a post in a series of “stream-of-study” content where I post loosely-structured notes taken while labbing various scenarios and technologies.

!-------------------------------------------------!
!  Basic Front-Door VRF with non-default LAN VRF  !
!-------------------------------------------------!
!              IKEv1 GREoIPSec L2L                !
!-------------------------------------------------!
!
!the purpose of Front Door VRF is to isolate the underlay and overlay networks, both to avoid potential routing recursion issues as well as to add a layer of security by segmenting the underlay and overlay at L3
!
!Good example here with basic config and recursion example- https://networkingwithfish.com/tunnels-and-the-use-of-front-door-vrfs/
!
!-------
!  R1
!-------
!first, we configure the fVRF which will point to the underlay
!
vrf definition inet
 rd 1:1
 address-family ipv4 unicast
!
!then, configure the LAN-side VRF (inside VRF, iVRF) for our tunneled traffic (this could also just as well be the default VRF)
!
vrf definition MyLAN
 rd 10:10
 address-family ipv4 unicast
!
!set the phy underlay default route to facilitate tunneling and configure a couple of LAN segments
!
ip route vrf inet 0.0.0.0 0.0.0.0 199.1.1.3
!
int lo0
 vrf forwarding MyLAN
 ip add 10.1.1.1 255.255.255.255
!
int lo1
 vrf forwarding MyLAN
 ip add 172.16.1.1 255.255.255.255
!
!configure the phy underlay uplink in the fVRF
int eth0/0
 vrf forwarding inet
 ip add 199.1.1.1 255.255.255.0
 no shut
!
!configure basic ISAKMP policy
!
cry isakmp policy 5
 hash sha256
 authen pre-share
 group 19
 encry aes 256
!
!since the IPSec tunnel is going to be formed on the PHY underlay interface, we need to attach our PSK to the underlay fVRF "inet", which we can do using a crypto keyring
!
!
crypto keyring INET vrf inet
 pre-shared-key address 0.0.0.0 0.0.0.0 key P@ssw0rd!
!
!then we just configure normal IPSec PH II params
!
cry ipsec transform-set TFS esp-aes 256 esp-sha256-hmac
 mode transport
!
cry ipsec profile VPN
 set transform-set TFS
!
!configure the tunnel interface, sticking it in the "MyLAN" VRF, then using the "tunnel vrf inet" command to bind the tunnel to the underlay for destination resolution and IPSec tunnel formattion
!
int tu1
 vrf forwarding MyLAN
 ip add 192.168.1.1 255.255.255.0
 tunnel sour eth0/0
 tunnel dest 200.1.1.1
 tunnel protection ipsec profile VPN
 tunnel vrf inet
!
!configure basic VRF-aware EIGRP instance
!
router eigrp 100
 address-family ipv4 unicast vrf MyLAN autonomous-system 123
 network 192.168.1.0
 network 10.0.0.0
 network 172.16.0.0
!
!----------
!    R2
!----------
!
!rinse and repeat with IPs adjusted for the peer router, R2
!
vrf definition inet
 rd 1:1
 address-family ipv4 unicast
!
vrf definition MyLAN
 rd 10:10
 address-family ipv4 unicast
!
ip route vrf inet 0.0.0.0 0.0.0.0 200.1.1.3
!
int lo0
 vrf forwarding MyLAN
 ip add 10.2.2.2 255.255.255.255
!
int lo1
 vrf forwarding MyLAN
 ip add 172.16.2.2 255.255.255.255
!
int eth0/0
 vrf forwarding inet
 ip add 200.1.1.1 255.255.255.0
 no shut
!
!
cry isakmp policy 5
 hash sha256
 authen pre-share
 group 19
 encry aes 256
!
crypto keyring INET vrf inet
 pre-shared-key address 0.0.0.0 0.0.0.0 key P@ssw0rd!
!
cry ipsec transform-set TFS esp-aes 256 esp-sha256-hmac
 mode transport
!
cry ipsec profile VPN
 set transform-set TFS
!
int tu1
 vrf forwarding MyLAN
 ip add 192.168.1.2 255.255.255.0
 tunnel sour eth0/0
 tunnel dest 199.1.1.1
 tunnel protection ipsec profile VPN
 tunnel vrf inet
!
router eigrp 100
 address-family ipv4 unicast vrf MyLAN autonomous-system 123
 network 192.168.1.0
 network 10.0.0.0
 network 172.16.0.0
!----------------------
!  Verification
!----------------------
!
!show vrf [detail]
!sh cry isakmp sa [detail]
!sh cry ipsec sa [detail]
!
!ran into one issue turning things up because i had a typo where transform set was spelled incorrectly, tunnels just sat up but IPSec sa send errors kept incrementing for every eigrp hello, bounced both tunnels and issue resolved
!
!remember that ipsec/isakmp happens on the underlay, not the tunnel interface itself, so anything that is associated with VPN tunnel turnup like auth gets tied to the underlay vrf
!
!based on configuration from the ISP Redundancy VRF-Lite DMVPN Guide  - https://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multi-point-vpn-dmvpn/119022-configure-dmvpn-00.html
Unknown's avatar

Published by malb9001

Leave a comment