GRE/IPsec tunneling through VRF's

Hello All,

Hoping to pick the brains of others on a issue I’m trying to solve in my lab. I created this lab based on a practice question I saw somewhere at one point in time. Not even sure if what I’m trying to do is possible without a super complicated config. I want host-a to be able to communicate with host-b using the gre/ipsec tunnel from R5 and R7. The Tunnel is in a vrf called test. My initial thought was to create a route map that matched the host networks and then changed the next hop to the tunnel interface. However I realized that the destination router would have no idea what to do with this packet because the tunnel is in it’s own vrf. I realize that I could also put the host facing interface into the vrf but that doesn’t seem like common design practice? It’s possible that this question wanted me to put the host interfaces into the VRF but I’m unable to verify this.

Still have very much to learn about networking and appreciate anyone that takes the time to respond to this :slight_smile:

I’ve attached a picture with the topology.

Hello Chase

This scenario involves GRE, IPSec, VRFs, and routing and you have to ensure that all of these work together correctly. I haven’t tried this specific combination, but it’s something that should be relatively straightforward. I don’t see any reason why it shouldn’t work.

Just to verify, you have configured the tunnel interfaces on R5 and R7 to be on VRF “test”, correct? All other interfaces on the whole topology are on the default VRF correct?

If so, and if this is just a lab and not a production network, then I would suggest that you initially start by creating this topology without the “test” VRF. Make sure that the tunnel, IPSec, and routing are functioning correctly. That way you initially eliminate the VRF factors that may be affecting the behavior. Take a look at this lesson to ensure this part of the deployment:

Once you confirm that this is working correctly, you can then introduce the additional parameter of the VRF. When you apply the VRF, you must make sure that you are correctly implementing VRF leaking so that your default VRF can communicate with your “test” VRF. There are various ways you can employ this, and the following lesson indicates some of these options:

Now once communication is possible you can then turn to the specific routing requirements. If you want all hosts in in the network to communicate with all hosts in the network, then you can do this using static routing or routing protocols. If you want only Host A’s communication with Host B to go through the tunnel and all other traffic to go through R6, then you can apply policy-based routing to the mix. More about this can be found here:

We all always have a lot to learn about networking :slight_smile: That’s part of the charm and the adventure of this technology. As you can see there is no one single way to do things, you have many options, and based on experience, you will be able to choose the one that best suits your needs. And labbing is one of the best ways to acquire that experience!!

I hope this has been helpful!