Date created: Wednesday, March 21, 2018 8:40:29 AM. Last modified: Friday, August 16, 2019 3:34:05 PM

Multi-VRF over ADSL using GRE and IPSEC

The config below shows how to build multiple GRE tunnels between a CPE and LNS router. Each GRE tunnel is used to extend a unique VRF from the LNS down to the CPE. The PPP session between the CPE and LNS is the underlay connectivity and the GRE tunnels provide the overlay connectivity to extend multiple layer 3 VPNs to an ADSL end site, when no layer 2 logical seperation mechanism (e.g. VLANs over Ethernet) are available.

On the RADIUS profile for the ADSL user a static route is configured, which is the /29 IP range used for the Loopback IPs on the CPE. All GRE tunnels terminate on the same Loopback interface on the LNS which means that on the CPE end a unique source IP must be used for each GRE tunnel. This will create a uniue source/destination IP pair for each GRE tunnel at the LNS end, even though the LNS uses same Loopback interface IP for all tunnels. By using a /29 each ADSL CPE to have upto 8 VRFs by default.

Note that IPSEC is configured on the LNS and CPE so that some GRE tunnels can be GREoIPSEC if required.


! CPE:

vrf definition B
address-family ipv4
exit-address-family
exit

vrf definition B
address-family ipv4
exit-address-family
exit

! Crypto config for GREoIPSEC tunnels

crypto isakmp policy 10 authentication pre-share exit

! LNS Loopback crypto isakmp key PassphrasE address 1.1.1.1 no-xauth crypto ipsec transform-set ADSL-TRANS esp-3des esp-md5-hmac exit no crypto ipsec nat-transparency udp-encapsulation crypto ipsec profile ADSL-IPSEC set transform-set ADSL-TRANS exit interface Loopback0 description Tunnel0 Source IP ip address 10.0.1.0 255.255.255.255 no shutdown exit interface Loopback1 description Tunnel1 Source IP ip address 10.0.1.1 255.255.255.255 no shutdown exit
interface Tunnel0 description GRE Tunnel for VRF A
vrf forwarding A ip address 10.255.255.251 255.255.255.254 ip mtu 1438 ip tcp adjust-mss 1350 tunnel source Loopback0 tunnel destination 1.1.1.1 ! LNS Loopback IP exit interface Tunnel1 description GREoIPSEC tunnel for VRF B vrf forwarding B ip address 10.255.255.253 255.255.255.254 ip mtu 1438 ip tcp adjust-mss 1350 tunnel source Loopback1 tunnel mode ipsec ipv4 tunnel destination 1.1.1.1 tunnel protection ipsec profile ADSL-IPSEC exit ! LNS:

! On the LNS the VRF called "WBMC" is the underlay VRF that PPP sessions terminate on, and the VRF Loopback10 is inside.
! Config for GREoIPSEC tunnels

vrf definition A
address-family ipv4
exit-address-family
exit

vrf definition B
address-family ipv4
exit-address-family
exit

vrf definition WBMC
address-family ipv4
exit-address-family
exit

crypto keyring ADSL-KEY vrf WBMC
! Accept from the entire CPE loopback range of all CPEs
  pre-shared-key address 10.0.0.0 255.255.0.0 key PassphrasE

crypto isakmp policy 10
 authentication pre-share

crypto isakmp profile ADSL-ISAKMP
   vrf WBMC ! Underlay VRF on the LNS side, CPE side its the GRT
   keyring ADSL-KEY
   match identity address 10.0.0.0 255.0.0.0 WBMC
   local-address Loopback10

crypto ipsec transform-set ADSL-TRANS esp-3des esp-md5-hmac
 mode tunnel

no crypto ipsec nat-transparency udp-encapsulation

crypto ipsec profile ADSL-IPSEC
 set transform-set ADSL-TRANS

interface Loopback10
description Loopback for WBMC VRF
ip vrf forwarding WBMC
ip address 1.1.1.1 255.255.255.255

interface Tunnel1000000
description GRE Tunnel for SITE1-VRFA
vrf forwarding A
ip address 10.255.255.250 255.255.255.254
ip mtu 1438
ip tcp adjust-mss 1350
tunnel source Loopback10
tunnel destination 10.0.1.0
tunnel vrf WBMC
exit

interface Tunnel1000001
description GREoIPSEC Tunnel for SITE1-VRFB
vrf forwarding B
ip address 10.255.255.252 255.255.255.254
ip mtu 1438
ip tcp adjust-mss 1350
tunnel source Loopback10
tunnel mode ipsec
ipv4 tunnel destination 10.0.1.1
tunnel vrf WBMC
tunnel protection ipsec profile ADSL-IPSEC shared
exit