IPSec: L2L VPN with overlapping spoke networks
From Internetworkpro
/---[R1]-(192.0.1.0/24)
(192.168.10.0/24)-[R3]
\---[R2]-(192.0.1.0/24)
The remote networks 192.0.1.0/24 get translated on the hub R3 to individual and unique subnets, 172.16.1.0/24 and 172.16.2.0/24.
To allow the hub to distinguish between the global overlapping networks, the IPSec tunnels as well as the address translation are put into vrfs, one for each tunnel.
On the inside interface of the hub, PBR is configured to put traffic into the correct vrf (no segregated (sub-)interfaces are presumed). The translated network (172.16.1.0/24 and 172.16.2.0/24) is the key for vrf selection (ACL/route-map).
R3 (Hub)
version 12.4 ! hostname R3 ! ! ip cef ! !-- vrf for the first spoke ip vrf R1 rd 111:1 route-target export 111:1 route-target import 111:1 ! !-- vrf for the second spoke ip vrf R2 rd 222:2 route-target export 222:2 route-target import 222:2 ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share ! !-- define PSK for each spoke !-- we are using the global/default keychain crypto isakmp key R1 address 10.10.10.1 crypto isakmp key R2 address 10.10.10.2 ! !-- each spoke tunnel gets a different IKE profile !-- because they land in different VRFs crypto isakmp profile R1 vrf R1 keyring default match identity address 10.10.10.1 255.255.255.255 crypto isakmp profile R2 vrf R2 keyring default match identity address 10.10.10.2 255.255.255.255 ! ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! !-- each spoke tunnel gets its own sequence in the crypto map crypto map mymap 10 ipsec-isakmp set peer 10.10.10.1 set transform-set myset set isakmp-profile R1 match address R1 crypto map mymap 20 ipsec-isakmp set peer 10.10.10.2 set transform-set myset set isakmp-profile R2 match address R2 ! ! ! ! interface Ethernet0/0 !-- the inside interface !-- it is *not* segregated into different VRFs (.1q subints for example) !-- its rather shared by all VRFs !-- the VRFs technically only exist within this router ip vrf receive R1 ip vrf receive R2 ip address 192.168.10.241 255.255.255.0 ! !-- we use NVI instead of old inside/outside NAT because of VRF-aware NAT ip nat enable ! !-- the PBR puts the traffic into the correct VRF !-- based on the translated network address ip policy route-map WHICH_VRF half-duplex ! interface Serial1/0 no ip address encapsulation frame-relay ! interface Serial1/0.1 multipoint ip address 10.10.10.3 255.255.255.0 ip nat enable snmp trap link-status frame-relay interface-dlci 301 frame-relay interface-dlci 302 crypto map mymap ! ! !-- your 0/0 to the outside !-- a next hop can be specified also ip route 0.0.0.0 0.0.0.0 Serial1/0.1 ! !-- in each vrf, routes for both the translated and the real network are required, !-- pointing towards the global default gateway/next hop ip route vrf R1 172.16.1.0 255.255.255.0 10.10.10.1 global ip route vrf R1 192.0.1.0 255.255.255.0 10.10.10.1 global ip route vrf R2 172.16.2.0 255.255.255.0 10.10.10.1 global ip route vrf R2 192.0.1.0 255.255.255.0 10.10.10.1 global ! !-- VRF-aware NAT !-- translate the overlapping network 192.0.1.0/24 into !-- unique networks, per VRF ip nat source static network 192.0.1.0 172.16.1.0 /24 vrf R1 ip nat source static network 192.0.1.0 172.16.2.0 /24 vrf R2 ! ! !-- ACLs used for the crypto maps !-- note that the real/untranslated address must be specified !-- because this is what each spoke will announce ip access-list extended R1 permit ip 192.168.10.0 0.0.0.255 192.0.1.0 0.0.0.255 ip access-list extended R2 permit ip 192.168.10.0 0.0.0.255 192.0.1.0 0.0.0.255 ! !-- ACLs used for directing traffic to the right VRF !-- the translated networks must be used as destinations here ip access-list extended VRF_R1 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255 ip access-list extended VRF_R2 permit ip 192.168.10.0 0.0.0.255 172.16.2.0 0.0.0.255 ! !-- the route-map that ties inside traffic to the correct vrf route-map WHICH_VRF permit 10 match ip address VRF_R1 set vrf R1 ! route-map WHICH_VRF permit 20 match ip address VRF_R2 set vrf R2 !
R1 (Spoke 1)
version 12.4 ! hostname R1 ! ip cef ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp key R1 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 10.10.10.3 set transform-set myset match address R3 ! ! ! ! interface Loopback0 ip address 192.0.1.1 255.255.255.0 ! interface Serial0/0 ip address 10.10.10.1 255.255.255.0 encapsulation frame-relay frame-relay interface-dlci 102 crypto map mymap ! ip route 0.0.0.0 0.0.0.0 10.10.10.3 ! ip access-list extended R3 permit ip 192.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255 !
R2 (Spoke 2)
! version 12.4 ! hostname R2 ! ip cef ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp key R2 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 10.10.10.3 set transform-set myset match address R3 ! ! ! ! interface Loopback0 ip address 192.0.1.1 255.255.255.0 ! interface Serial0/0 ip address 10.10.10.2 255.255.255.0 encapsulation frame-relay no fair-queue frame-relay interface-dlci 201 crypto map mymap ! ip route 0.0.0.0 0.0.0.0 10.10.10.1 ! ! ip access-list extended R3 permit ip 192.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255 !
