As MPLS becomes increasingly common in enterprise WAN deployments, integrating IP Security (IPSec) tunnels with VRF (Virtual Routing and Forwarding) is crucial. Standard IPSec configurations don’t account for VRFs, which presents a challenge when multiple IPSec tunnels terminate on a single physical interface shared by multiple VRFs. This is where VRF-Aware IPSec comes into play.
What is VRF-Aware IPSec?
VRF-aware IPSec enables you to associate IPSec tunnels with specific VRF domains. Each IPSec tunnel is effectively split into two logical routing domains:
- The outer (encapsulated) IP packet, associated with the Front VRF (FVRF).
- The inner (protected) IP packet, associated with the Internal VRF (IVRF).
This configuration ensures that even when tunnels terminate on the same interface, traffic is correctly mapped to the right customer or domain context using ISAKMP profiles.
Why It Matters
Without VRF-aware IPSec, there’s no way for the router to determine which VRF an incoming protected packet should belong to. This is particularly problematic in MPLS VPN environments with overlapping address spaces or multiple tenants. VRF-aware IPSec resolves this ambiguity by allowing explicit configuration of the IVRF using the ISAKMP profile.
Important Notes
- If you use pre-shared keys (PSKs), always configure a keyring and assign it to the ISAKMP profile.
- If both RSA and PSK authentication policies are present, the PSK policy must have a higher priority number than the RSA policy.
- Reverse Route Injection (RRI) can be used to dynamically add routes for the destination subnets defined in the proxy ACL. When RRI is used, it respects the VRF context and injects routes accordingly.
Sample Configuration
Below is a basic VRF-aware L2L VPN configuration on a Cisco IOS router.
1. ISAKMP Policy (Phase 1)
crypto isakmp policy 1 authentication pre-share
2. Define the Pre-Shared Key for the Peer
crypto isakmp key cisco123 address 11.11.11.11
3. Define the Traffic to Encrypt (Proxy ACL)
access-list 125 permit ip 10.10.10.0 0.0.0.255 10.11.11.0 0.0.0.255
4. Create the ISAKMP Profile and Assign the VRF
crypto isakmp profile ISA_PROF3 vrf Europe-1 keyring default match identity address 11.11.11.11 255.255.255.255
This binds the ISAKMP exchange to the “Europe” VRF and ensures it uses the appropriate keyring.
5. Configure the IPSec Crypto Map
crypto map CMAP3 5 ipsec-isakmp set peer 11.11.11.11 set transform-set tset match address 125 reverse-route static
6. Apply the Crypto Map to the Outbound Interface
interface g1 crypto map CMAP3
Conclusion
VRF-aware IPSec is an essential feature for secure, multi-tenant MPLS environments. It bridges the gap between routing isolation (VRFs) and encrypted tunnels (IPSec), ensuring each tenant or domain’s traffic is properly separated and secured. Whether you’re working with pre-shared keys or certificates, ISAKMP profiles and keyrings are critical to the configuration.
