Date created: Wednesday, March 21, 2018 8:40:29 AM. Last modified: Friday, August 16, 2019 3:34:05 PM
Multi-VRF over ADSL using GRE and IPSEC
The config below shows how to build multiple GRE tunnels between a CPE and LNS router. Each GRE tunnel is used to extend a unique VRF from the LNS down to the CPE. The PPP session between the CPE and LNS is the underlay connectivity and the GRE tunnels provide the overlay connectivity to extend multiple layer 3 VPNs to an ADSL end site, when no layer 2 logical seperation mechanism (e.g. VLANs over Ethernet) are available.
On the RADIUS profile for the ADSL user a static route is configured, which is the /29 IP range used for the Loopback IPs on the CPE. All GRE tunnels terminate on the same Loopback interface on the LNS which means that on the CPE end a unique source IP must be used for each GRE tunnel. This will create a uniue source/destination IP pair for each GRE tunnel at the LNS end, even though the LNS uses same Loopback interface IP for all tunnels. By using a /29 each ADSL CPE to have upto 8 VRFs by default.
Note that IPSEC is configured on the LNS and CPE so that some GRE tunnels can be GREoIPSEC if required.
! CPE:
vrf definition B
address-family ipv4
exit-address-family
exit
vrf definition B
address-family ipv4
exit-address-family
exit
! Crypto config for GREoIPSEC tunnels
crypto isakmp policy 10 authentication pre-share exit
! LNS Loopback crypto isakmp key PassphrasE address 1.1.1.1 no-xauth crypto ipsec transform-set ADSL-TRANS esp-3des esp-md5-hmac exit no crypto ipsec nat-transparency udp-encapsulation crypto ipsec profile ADSL-IPSEC set transform-set ADSL-TRANS exit interface Loopback0 description Tunnel0 Source IP ip address 10.0.1.0 255.255.255.255 no shutdown exit interface Loopback1 description Tunnel1 Source IP ip address 10.0.1.1 255.255.255.255 no shutdown exit
interface Tunnel0 description GRE Tunnel for VRF A
vrf forwarding A ip address 10.255.255.251 255.255.255.254 ip mtu 1438 ip tcp adjust-mss 1350 tunnel source Loopback0 tunnel destination 1.1.1.1 ! LNS Loopback IP exit interface Tunnel1 description GREoIPSEC tunnel for VRF B vrf forwarding B ip address 10.255.255.253 255.255.255.254 ip mtu 1438 ip tcp adjust-mss 1350 tunnel source Loopback1 tunnel mode ipsec ipv4 tunnel destination 1.1.1.1 tunnel protection ipsec profile ADSL-IPSEC exit ! LNS:
! On the LNS the VRF called "WBMC" is the underlay VRF that PPP sessions terminate on, and the VRF Loopback10 is inside.
! Config for GREoIPSEC tunnels
vrf definition A
address-family ipv4
exit-address-family
exit
vrf definition B
address-family ipv4
exit-address-family
exit
vrf definition WBMC
address-family ipv4
exit-address-family
exit
crypto keyring ADSL-KEY vrf WBMC
! Accept from the entire CPE loopback range of all CPEs
pre-shared-key address 10.0.0.0 255.255.0.0 key PassphrasE
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile ADSL-ISAKMP
vrf WBMC ! Underlay VRF on the LNS side, CPE side its the GRT
keyring ADSL-KEY
match identity address 10.0.0.0 255.0.0.0 WBMC
local-address Loopback10
crypto ipsec transform-set ADSL-TRANS esp-3des esp-md5-hmac
mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile ADSL-IPSEC
set transform-set ADSL-TRANS
interface Loopback10
description Loopback for WBMC VRF
ip vrf forwarding WBMC
ip address 1.1.1.1 255.255.255.255
interface Tunnel1000000
description GRE Tunnel for SITE1-VRFA
vrf forwarding A
ip address 10.255.255.250 255.255.255.254
ip mtu 1438
ip tcp adjust-mss 1350
tunnel source Loopback10
tunnel destination 10.0.1.0
tunnel vrf WBMC
exit
interface Tunnel1000001
description GREoIPSEC Tunnel for SITE1-VRFB
vrf forwarding B
ip address 10.255.255.252 255.255.255.254
ip mtu 1438
ip tcp adjust-mss 1350
tunnel source Loopback10
tunnel mode ipsec
ipv4 tunnel destination 10.0.1.1
tunnel vrf WBMC
tunnel protection ipsec profile ADSL-IPSEC shared
exit
Previous page: Multi VRF over ADSL using GRE
Next page: Multi VRF over ADSL using GRE (Internet/GRT Access)