TL;DR: Outside interface is a VRF, inside on global, must Specify VRF on crypto keychain.
I recently set up a IPSec VPN between two Cisco routers where the Internet-facing interface was in a VRF and the tunnel interface was in not in a VRF.
The VTI was configured in the usual way:
1 2 3 4 5 6 7 8 9 10 11
With the usual crypto configuration:
1 2 3 4 5 6 7 8 9
but the tunnel wouldn’t come up.
“debug crypto isakmp” showed a error to the effect that a preshared key wasn’t configured or couldn’t be found for the peer. This was puzzling because there was clearly a preshared key defined.
There weren’t any messages in the debug logs about incoming connections or policy mismatches so I assumed that the problem was occurring before the router tried to communicate with its peer or it wasn’t seeing traffic from the peer.
From the documentation I found it seemed like the “tunnel vrf Outside-A” statement in the VTI was all that was necessary for IOS to know that the outside was in a VRF (the tunnel endpoint is in a VRF so the protection profile must be on the VRF as well). This turned out to not be the case. The vrf statement on the VTI is just for the tunnel. You need to specify the VRF in the crypto keyring definition otherwise the router isn’t looking for VPN traffic in the VRF.
I changed the crypto configuration to use a keyring and specified the outside vrf on the keyring definition:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
and now it all works. Of course now that it’s working I find a Cisco doc on New Version Site-to-Site Configuration that shows this.