This site has previously shown us the method of segmenting a router into eight virtual routers using virtual Routing and forwarding (VRF, VM forwarding) through a scene example. I showed you how to configure VRF, and in this article we continue to use this scenario and, through IPSec configuration, replicate the exact topology and address to eight experimental environments. The entire environment can proceed smoothly, first requires the virtual route with ASA and Cisco router to establish VPN. This requires VRF to participate in IPSec. So I need a way to achieve exactly the same ISAKMP strategy, consistent pre-shared keys, consistent crypto ACLs, which are consistent on every VRF. The actual configuration process may be simpler than we thought. Let me give you an example to illustrate the whole process.
The first is to establish a ISAKMP strategy:
!
Crypto ISAKMP Policy 10
ENCR AES 256
Authentication Pre-share
Group 2
!
During the configuration process, we can use the same elements in eight VRF, so we only need to establish a ISAKMP policy. Next, establish the crypto ACL and an IPsec transform set.
IP Access-list Extended VPN
Permit IP 10.0.100.0 0.0.0.255 10.0.1.0 0.0.0.255
Crypto IPSec Transform-set Vpn-trans Esp-aes Esp-sha-hmac.
The next step is to establish the pre-shared key. In this case I used a keyring as a pre-shared key, so I just bind it to VRF.
Crypto Keyring Pod1keys VRF POD1
Pre-shared-key Address 192.168.1.2 Key cisco123
Crypto Keyring Pod2keys VRF POD2
Pre-shared-key Address 192.168.1.2 Key cisco123
Crypto Keyring Pod3keys VRF POD3
Pre-shared-key Address 192.168.1.2 Key cisco123
Crypto Keyring Pod4keys VRF POD4
Pre-shared-key Address 192.168.1.2 Key cisco123
Crypto Keyring Pod5keys VRF POD5
Pre-shared-key Address 192.168.1.2 Key cisco123
Crypto Keyring Pod6keys VRF POD6
Pre-shared-key Address 192.168.1.2 Key cisco123
Crypto Keyring Pod7keys VRF POD7
Pre-shared-key Address 192.168.1.2 Key cisco123
Crypto Keyring Pod8keys VRF POD7
Pre-shared-key Address 192.168.1.2 Key cisco123
!
Next set up Crypto-maps.
!
Crypto map Pod1 IPSEC-ISAKMP
Set Peer 192.168.1.2
Set Transform-set Vpn-trans
Set PFS Group2
Match Address VPN
!
Crypto map Pod2 IPSEC-ISAKMP
Set Peer 192.168.1.2
Set Transform-set Vpn-trans
Set PFS Group2
Match Address VPN
!
Crypto map pod3 IPSEC-ISAKMP
Set Peer 192.168.1.2
Set Transform-set Vpn-trans
Set PFS Group2
Match Address VPN
!
Crypto map Pod4 IPSEC-ISAKMP
Set Peer 192.168.1.2
Set Transform-set Vpn-trans
Set PFS Group2
Match Address VPN
!
Crypto map Pod5 IPSEC-ISAKMP
Set Peer 192.168.1.2
Set Transform-set Vpn-trans
Set PFS Group2
Match Address VPN
!
Crypto map Pod6 IPSEC-ISAKMP
Set Peer 192.168.1.2
Set Transform-set Vpn-trans
Set PFS Group2
Match Address VPN
!
Crypto map Pod7 IPSEC-ISAKMP
Set Peer 192.168.1.2
Set Transform-set Vpn-trans
Set PFS Group2
Set Isakmp-profile Pod7
Match Address VPN
!
Crypto map Pod8 IPSEC-ISAKMP
Set Peer 192.168.1.2
Set Transform-set Vpn-trans
Set PFS Group2
Match Address VPN
!