Static IPSec with MPLS VPN

Vinit Jain · ‎11-25-2015

Introduction

With the introduction of VRF-Aware IPSec, it has become possible to deploy IPSec VPN's to provide secure internet connectivity using IPSec in a MPLS VPN environment. In VRF Aware IPSec, there are two VRF concepts:

FVRF - Front-Door VRF
IVRF - Inside VRF

Each IPSec tunnel is associated to two VRF domains. The FVRF is common to all the IPSec tunnels and shall be considered as the Internet VRF. The Internet VRF (FVRF) carries the encrypted traffic. The Inside VRF is the vrf which carries the un-encrypted traffic and is defined under the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry. It can be considered as the Customer VRF.

Topology

Configuration

PE1 Configuration:
==================
ip vrf custa
 rd 1:1
 route-target export 100:100
 route-target import 100:100
 route-target import 3:3
!
interface Loopback0
 ip address 31.31.31.31 255.255.255.255
 ip ospf 100 area 0
!
interface Loopback1
 ip vrf forwarding custa
 ip address 192.168.103.120 255.255.255.0
!
interface Loopback10
 ip vrf forwarding custa
 ip address 201.201.201.201 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 10.10.10.2 255.255.255.252
 ip ospf 100 area 0
 mpls ip
!
router ospf 100
!
router bgp 12345
 bgp log-neighbor-changes
 redistribute connected
 neighbor 30.30.30.30 remote-as 12345
 neighbor 30.30.30.30 update-source Loopback0
 neighbor 30.30.30.30 soft-reconfiguration inbound
 !
 address-family vpnv4
 neighbor 30.30.30.30 activate
 neighbor 30.30.30.30 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf custa
 network 192.168.103.112 mask 255.255.255.240
 redistribute connected
 exit-address-family
!
PE2 Configuration:
==================
ip vrf custa
 rd 1:1
 route-target export 100:100
 route-target import 100:100
 route-target import 3:3
!
ip vrf internet
 rd 3:3
 route-target export 3:3
 route-target import 3:3
 route-target import 100:100
!
crypto keyring internet-keyring vrf internet 
 pre-shared-key address 1.1.1.2 key cisco
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp profile custa
 vrf custa
 keyring internet-keyring
 match identity address 1.1.1.2 255.255.255.255 
 match identity address 1.1.1.2 255.255.255.255 internet
 isakmp authorization list default
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac 
 mode tunnel
!
crypto map mymap 1 ipsec-isakmp 
 set peer 1.1.1.2
 set transform-set esp-3des-sha 
 set isakmp-profile custa
 match address into_VPN
reverse-route
!
interface Loopback0
 ip address 30.30.30.30 255.255.255.255
 ip ospf 100 area 0
!
interface Loopback1
 ip vrf forwarding custa
 ip address 192.168.103.110 255.255.255.0
!
interface Loopback10
 ip vrf forwarding custa
 ip address 200.200.200.200 255.255.255.255
!
interface Loopback100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 ip address 10.10.10.1 255.255.255.252
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet0/2
 ip vrf forwarding internet
 ip address 1.1.1.1 255.255.255.252
 crypto map mymap
!
router ospf 100
!
router bgp 12345
 bgp log-neighbor-changes
 neighbor 31.31.31.31 remote-as 12345
 neighbor 31.31.31.31 ebgp-multihop 2
 neighbor 31.31.31.31 update-source Loopback0
 neighbor 31.31.31.31 soft-reconfiguration inbound
 !
 address-family vpnv4
 neighbor 31.31.31.31 activate
 neighbor 31.31.31.31 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf custa
 network 192.168.103.96 mask 255.255.255.240
 redistribute connected
 redistribute static
 exit-address-family
 !
 address-family ipv4 vrf internet
 network 0.0.0.0
 exit-address-family
!
ip route vrf custa 192.168.103.96 255.255.255.240 Null0
ip route vrf internet 0.0.0.0 0.0.0.0 1.1.1.2
!
ip access-list extended into_VPN
 permit ip host 200.200.200.200 host 100.100.100.100
 permit ip host 201.201.201.201 host 100.100.100.100
!

CE1 Configuration:
==================
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 1.1.1.1 
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac 
 mode tunnel
!
crypto map mymap 1 ipsec-isakmp 
 set peer 1.1.1.1
 set transform-set esp-3des-sha 
 match address 199
!
interface Loopback1
 ip address 87.88.89.90 255.255.255.255
!
interface Loopback10
 ip address 100.100.100.100 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 1.1.1.2 255.255.255.252
 crypto map mymap
!
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
access-list 199 permit ip host 100.100.100.100 host 200.200.200.200
access-list 199 permit ip host 100.100.100.100 host 201.201.201.201
!

Problem

The reachability works fine when trying to ping 100.100.100.100/32 prefix from vrf custa on PE2 router. But when trying to ping it from PE1 vrf custa loopback10, then the packet doesn't go through.

Output from PE2:
================
PE2#ping vrf custa 100.100.100.100 source lo10 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
Packet sent with a source address of 200.200.200.200 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 6/65/241 ms

Output from PE1:
================
PE1#ping vrf custa 100.100.100.100 source lo10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
Packet sent with a source address of 201.201.201.201 
.....
Success rate is 0 percent (0/5)

Note: When performing a packet capture between PE2 and CE1 for the packet coming from PE1 loopback 10 (201.201.201.201/32 destined to CE1 loopback (100.100.100.100/32), it was noticed that the packet is not getting encrypted.

Error Noticed on CE1:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /100.100.100.100, src_addr= 201.201.201.201, prot= 1

Solution

The recommended configuration is that the Internet link be not put in a VRF but rather in a global table. This was route leaking can be performed from VRF to global table with relevant next-hop. But route leaking is not possible between vrf's as there is no static route CLI to support the leaking between VRFs. For that reason, reverse-route configuration is used. The important task performed by this command is the reverse-route command creates an in-memory static route to perform the route leaking.

But by just having this configuration, the reachability will not be established.

Looking at the advertised prefixes from PE2, will give a better understanding on what is happening.

PE2#sh ip bgp vpnv4 all nei 31.31.31.31 advertised-routes 
BGP table version is 38, local router ID is 30.30.30.30
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
 r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
 x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf custa)
 *> 192.168.103.0 0.0.0.0 0 32768 ?
 *> 192.168.103.96/28
                  0.0.0.0 0 32768 i
 *> 200.200.200.200/32
                   0.0.0.0 0 32768 ?
Route Distinguisher: 3:3 (default for vrf internet)
 *> 0.0.0.0 1.1.1.2 0 32768 i

Total number of prefixes 4 
PE2#

We can only see a default route being advertised.

The solution here is configuring a redistribute static command under the vrf custa address-family.

PE2(config)#router bgp 12345
PE2(config-router)#add ipv4 vrf custa
PE2(config-router-af)#redistribute static
PE2(config-router-af)#end

PE2#
*Nov 25 20:06:52.930: %SYS-5-CONFIG_I: Configured from console by console 
PE2#sh ip bgp vpnv4 all nei 31.31.31.31 advertised-routes 
BGP table version is 38, local router ID is 30.30.30.30
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
 r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
 x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf custa)
 *> 192.168.103.0 0.0.0.0 0 32768 ?
 *> 192.168.103.96/28
                   0.0.0.0 0 32768 i
 *> 200.200.200.200/32
                   0.0.0.0 0 32768 ?
Route Distinguisher: 3:3 (default for vrf internet)
 *> 0.0.0.0 1.1.1.2 0 32768 i

Total number of prefixes 4 
PE2#

PE2#ping vrf custa 100.100.100.100 so lo10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
Packet sent with a source address of 200.200.200.200 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 7/8/10 ms

PE2#sh ip bgp vpnv4 all nei 31.31.31.31 advertised-routes 
BGP table version is 20, local router ID is 30.30.30.30
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
 r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
 x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf custa)
 *> 100.100.100.100/32
                      1.1.1.2 0 32768 ?
 *> 192.168.103.0 0.0.0.0 0 32768 ?
 *> 192.168.103.96/28
                      0.0.0.0 0 32768 i
 *> 200.200.200.200/32
                      0.0.0.0 0 32768 ?
Route Distinguisher: 3:3 (default for vrf internet)
 *> 0.0.0.0 1.1.1.2 0 32768 i

Total number of prefixes 5 
PE2#

After the above steps, the reachability is established between PE1 and CE1 and traffic is being encrypted.