In our VXLAN design the global routing table is the underlay advertising loopbacks which are then used to build the overlay of VTEP tunnels and BGP peerings. When VRF-Aware IPsec is used with a crypto map this crypto map cannot use the global VRF as the iVRF and a non-global VRF as the fVRF.
fVRF (front-door VRF or outside VRF): The VRF that contains the encrypted traffic.iVRF (inside VRF): The VRF that contains the clear-text traffic before encryption (outbound flows) or after decryption (inbound flows).With VRF-Aware IPsec VPN tunnels the outer encapsulated packet belongs to one VRF domain ( fVRF) whilst the inner protected IP packet belongs to another ( iVRF). I thought it was worth a quick post on the VPN elements and how these are configured. We recently changed this design to use VXLAN/BGP rather than GRE/OSPF which brought to light a crypto map limitation that meant we had to change the VPNs to use VTIs. See my earlier post vCentre in Azure for more detail on a similar setup. An IPSec VPN between ASA and ASR with a GRE tunnel inside that (GRE tunnel source and destination as the interesting traffic) and OPSF running over the GRE tunnel. I have used this later option for connections between various sites for the last few years with no real issues. Alternatively, if you did want to complicate it a little you can run BGP through the tunnel or GRE and run a routing protocol over the GRE tunnel. If you need simple tunnel between sites for a few networks they are perfect as you can get away from any unnecessary complexity such as running routing protocols. They can be problematic between different vendors using a mix of policy-based (ACL interesting traffic) and route-based (tunnel interface) VPNs, but if you stick to the basics they are pretty solid. Site-to-site VPNs using crypto maps with an interesting traffic ACL seem to have got a lot of bad press over the years. For more complex environments or cloud connectivity you are probably going to need to use VTIs, this post goes through the process of building VTI VPNs between an ASR and ASA. For a simple solution to join small sites with no need for routing these work great and keep the complexity down to a minimum. Over the years I have built numerous IPsec VPNs on ASAs using crypto maps and an ACL for the interesting traffic.
0 kommentar(er)
