IOS-XE IKEv2 VRF aware Policy Based VPN
This post describes the steps to configure a VRF aware Policy Based (Crypto Map) VPN on Cisco IOS-XE routers. A Front-door VRF called FVRF will be used for the interface connected to the internet, this VRF has a default route all encrypted traffic will be communicated over this interface. An Inside VRF called INSIDE has the internal network routes, that contains the clear-text traffic (before encryption). A Crypto Map VPN will be established to an ASA device, not covered in this post.
Router Configuration
VRF
Two VRFs will be defined, the Front-door VRF and Inside VRF, with basic configuration.
vrf definition FVRF description ## Outside VRF, with default route only ## ! address-family ipv4 exit-address-family vrf definition INSIDE description ## Inside VRF, with internal routes ## ! address-family ipv4 exit-address-family
Interfaces
The router interfaces should be configured with the correct VRF and IP addressing. To simulate multiple internal networks a couple of loopbacks will be used in addition to a physical interface.
interface GigabitEthernet1 description ## Outside interface ## vrf forwarding FVRF ip address 2.2.2.1 255.255.255.0 ! interface Loopback0 description ## Inside interface ## vrf forwarding INSIDE ip address 10.10.0.1 255.255.255.0 ! interface Loopback1 description ## Inside interface ## vrf forwarding INSIDE ip address 10.10.1.1 255.255.255.0 ! interface Loopback2 description ## Inside interface ## vrf forwarding INSIDE ip address 10.10.2.1 255.255.255.0 ! interface GigabitEthernet3 description ## Inside interface ## vrf forwarding INSIDE ip address 10.10.3.1 255.255.255.0
Routing
A default route is configured only in the fVRF via its next hop.
ip route vrf FVRF 0.0.0.0 0.0.0.0 2.2.2.254
IKEv2 Proposal and Policy
Create an IKEv2 proposal, defining secure encryption, integrity, PRF and DH algorithms.
crypto ikev2 proposal PROP-1 encryption aes-cbc-256 aes-cbc-128 prf sha256 integrity sha256 group 21
Create an IKEv2 Policy, reference the IKEv2 proposal previously created. Ensure you define the correct fVRF, the default is the global routing table.
crypto ikev2 policy IKEV2_POLICY match fvrf FVRF proposal PROP-1
IKEv2 Keyring and Profile
Define a basic IKEv2 keyring.
crypto ikev2 keyring KEYRING peer ANY address 0.0.0.0 0.0.0.0 pre-shared-key local Cisco1234 pre-shared-key remote Cisco1234
Create an IKEv2 Profile. The important configuration regarding VRF here is to define the fVRF using the command match fvrf <VRF NAME>, without specifying the VRF or “any” the default is the global routing table. The Inside VRF must be specified using the command ivrf <VRF NAME>, the default setting is “none” meaning the Inside VRF will be the same as the fVRF. All other IKEv2 Profile settings are basic configuration.
crypto ikev2 profile IKEV2_PROFILE match fvrf FVRF match identity remote any identity local address 2.2.2.1 authentication remote pre-share authentication local pre-share keyring local KEYRING ivrf INSIDE
Access Control List
As is standard with a Policy Based VPN (crypto map) an ACL must be configured to identify the interesting traffic to be encrypted over the VPN tunnel.
ip access-list extended 101 10 remark ## VPN to DC ASA ## 10 permit ip 10.10.3.0 0.0.0.255 192.168.8.0 0.0.3.255
IPSec Transform Set
The IPSec transform set must be configured, defining the encapsulation, encryption, and identity settings.
crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac mode tunnel
Crypto Map
Create a crypto map, referencing the IKEv2 Profile, Transform Set and ACL previously configured. The remote peer is defined using the set peer command. Reverse Route Injection (RRI) is important when using a different Front-door VRF and Inside VRF, without it configured the Inside VRF will never route the traffic via the external interface and never even attempt to establish a VPN tunnel. The IP address under the reverse-route remote-peer 2.2.2.254 static command, is the actual IP address of external interface of the local router.
crypto map CMAP 1 ipsec-isakmp set peer 1.1.1.3 set transform-set TSET set ikev2-profile IKEV2_PROFILE match address 101 reverse-route remote-peer 2.2.2.254 static
Ensure the crypto map is defined under the external/outside interface.
interface GigabitEthernet1 crypto map CMAP
Verification and Testing
To confirm the internal networks are in the Inside VRF (iVRF), run the command show ip route vrf INSIDE. With RRI configured under the crypto map, a static route for the destination network as defined in the ACL is inserted into the Inside VRFs routing table.
Without RRI configured under the crypto map, the Inside VRF routing table only knows about the local networks and will therefore never route outbound traffic via the external interface, which is configured in the fVRF. If the traffic is never routed via the external interface, a VPN will never be established. VRF route leaking could be used instead of RRI.
To confirm the default route is in the Front-door (fVRF), run the command show ip route vrf FVRF. Notice the internal networks are not in this routing table.
When using a Policy Based VPN the tunnel is down until interesting traffic is generated. For testing run a ping from a source IP address as defined in the crypto map ACL. From the screenshot below, notice the first ping failed. At this point the VPN is not established, subsequent pings succeeded, so we know the VPN was established.
Run the command show crypto ikev2 sa to confirm the IKE SA status. From the screenshot below, we can confirm the status is READY and importantly that the fVRF and iVRF are correct.
Run the command show crypto ipsec sa to confirm the IPSec SAs have established correctly and the encaps|decaps counters are increasing.
The command show crypto session, is useful as it summarises the important information from the previous two commands, such as Peer ID, fVRF, iVRF, IPSec SA counters, protected networks etc.
Further considerations
Cisco considers Crypto Maps (Policy Based VPN) as legacy and recommends using tunnel interfaces (Route Based VPN). Examples of Route Based VPNs on Cisco IOS-XE routers include FlexVPN or DMVPN. Refer to the links below for more information on using FlexVPN or DMVPN.