This is a post in a series of “stream-of-study” content where I post loosely-structured notes taken while labbing various scenarios and technologies.
!-----------------------------------------!
! fVRF IKEv1 and RSA-SIG Auth with sVTI !
!-----------------------------------------!
!
!RSA-Sig (certificate) based authentication can be done for ISAKMP peers in fVRF setup by using the isakmp-profile to specify the match condition and attaching to the IPSEC profile that gets tied to the tunnel interface. Unlike VRF-aware using PSK, we don't need a keyring here because we're using x509
!
!first set up R1 as the CA and a client, and R2 as a client and get certs issued. the underlay IPs are already set here so reachability works fine, we will rip and replace when we move the underlay interfaces into fVRF in the next step
!
!---------------
! R1 (CA)
!---------------
!
cry key gen rsa mod 2048 label CA-Key
ip http server
!
cry pki server Hub-CA-Server
issuer-name CN=hub-ca OU=it O=ccie
grant auto
no shut
!
ip domain-n ccie.lab
cry key gen rsa mod 2048
!
cry pki trustpoint Hub-CA
enrollment url http://199.1.1.1
rev none
serial-number
!
cry pki authen Hub-CA
yes
!
cry pki enroll Hub-CA
pass
repeat pass
yes
!
show cry pki trustpoints
show cry pki server
show cry pki certificates
!
!now lets get a cert on R2
!
!------------
! R2
!------------
ip domain-n ccie.lab
cry key gen rsa mod 2048
!
cry pki trustpoint Hub-CA
enrollment url http://199.1.1.1
rev none
serial-number
!
cry pki authen Hub-CA
yes
!
cry pki enroll Hub-CA
pass
repeat pass
yes
!
show cry pki trustpoints
show cry pki certificates
!
!--------
! R1
!--------
!Now we create the fVRF for the underlay and tie our phy interface to it and set up routing
!
vrf def inet
addre ipv4 unic
!
int eth0/0
vrf forwarding inet
ip add 199.1.1.1 255.255.255.0
no shut
!
ip route vrf inet 0.0.0.0 0.0.0.0 199.1.1.3
!
!create a couple of LAN subnets
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
interface Loopback1
ip address 10.1.2.1 255.255.255.0
!
!then create a basic isakmp policy
!
crypto isakmp policy 5
hash sha256
authen rsa-sig
group 19
encry aes 256
!
!then we create an isakmp profile, tie it to the fVRF (since ISAKMP is terminating ont he underlay, not the Tu interface), and set up a match condition, in this case checking that the peer cert cName includes the domain ccie.lab
!
crypto isakmp profile vrf-aware-isakmp
vrf inet
match identity host domain ccie.lab inet
!
!then we set up a transform-set and ipsec profile, and in ipsec profile we add the isakmp profile
!
cry ipsec transform-set TFS esp-aes 256 esp-sha256-hmac
mode transport
!
cry ipsec profile IPSecProfile
set transform-set TFS
set isakmp-profile vrf-aware-isakmp
!
!then configure the tunnel interface, specifying tunnel mode ipsec ipv4 for native ipsec/sVTI instead of GRE (if we leave this out we just ahve GREoIPSEC and it works just fine)
!
int tu1
ip add 192.168.100.1 255.255.255.0
tunnel sour eth0/0
tunnel dest 200.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSecProfile
tunnel vrf inet
!
!add some basic routing for cross-tunnel peering, since we left the Tu and LAN interfaces in the default/global VRF we don't need this to be explicitly VRF-Aware
!
router eigrp 100
network 192.168.100.0 0.0.0.255
network 10.0.0.0
network 172.16.0.0
!
!--------
! R2
!--------
!rinse and repeat on R2 with updated IPs
vrf def inet
addre ipv4 unic
!
int eth0/0
vrf forwarding inet
ip add 200.1.1.1 255.255.255.0
no shut
!
ip route vrf inet 0.0.0.0 0.0.0.0 200.1.1.3
!
!
interface Loopback0
ip address 10.2.1.1 255.255.255.0
interface Loopback1
ip address 10.2.2.1 255.255.255.0
!
crypto isakmp policy 5
hash sha256
authen rsa-sig
group 19
encry aes 256
!
crypto isakmp profile vrf-aware-isakmp
vrf inet
match identity host domain ccie.lab inet
!
cry ipsec transform-set TFS esp-aes 256 esp-sha256-hmac
mode transport
!
cry ipsec profile IPSecProfile
set transform-set TFS
set isakmp-profile vrf-aware-isakmp
!
int tu1
ip add 192.168.100.2 255.255.255.0
tunnel sour eth0/0
tunnel dest 199.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSecProfile
tunnel vrf inet
!
router eigrp 100
network 192.168.100.0 0.0.0.255
network 10.0.0.0
!
!------------------------
! Verifications
!------------------------
debug cry isakmp
show cry isakmp sa [detail]
sh cry ipsec sa [detail]
sh cry isakmp profile
sh cry ipsec profile
show vrf detail
show ip eigrp ne
show ip eigrp topo all
CCIE #TBD 
Cheers! I’m so happy I stumbled across this article – it’s been a real eye opener and provided me with a load of new information. Many thanks for sharing your understanding!
This is a labbing scenario for deploying fVRF IKEv1 and RSA-SIG Authentication with sVTI. First, the steps for setting up R1 as the CA and acquiring a certificate on R2 have been shown. Then, an fVRF was created for the underlay, and basic LAN subnets and EIGRP 100 routing have been set up. An ISAKMP policy and profile are then created, and within an IPSEC transform and profile, a defined ISAKMP profile is added. After setting up the necessary tunnel interface, routing for cross-tunnel peering, and copying the same procedure to R2 with updated IPs, some verification commands have been suggested.
Wayne
LikeLike