vrf -aware ipsec vpn问题请教

UID: 149133

测试top如下：


其中ASR1上模拟vpn路由器，ASR2模拟企业路由器对接vpn；使用互联网段为 10.255.0.0/28
在ASR上开启lo0接口，配置到一个vrf中，为VIP3112;
ASR也开启lo0接口，进行模拟感兴趣流测试；

目前测试结果如下：
当ASR 1 lo0接口上划分到VIP3112时，ipsec vpn建立成功；但感兴趣流数据ping不通，发现只有site发起端数据包加密封装过去后对端site能够解密，但是没有回包；

当ASR 1 lo0 接口重新划到全局后，ipsec vpn建立成功；感兴趣流数据ping通；

配置如下：
ASR1006-1#
      
ip vrf VIP3112
rd 112:1
route-target export 112:1
route-target import 112:1

crypto keyring vpn3112  
  pre-shared-key address 10.255.0.4 key cisco
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp keepalive 20
crypto isakmp profile vpn3112
   vrf VIP3112
   keyring vpn3112
   match identity address 10.255.0.4 255.255.255.255
crypto ipsec transform-set zuoyb esp-des esp-md5-hmac
mode tunnel
crypto map zuoyb 10 ipsec-isakmp
set peer 10.255.0.4
set transform-set zuoyb
set isakmp-profile vpn3112
match address 112
interface Loopback0
ip vrf forwarding VIP3112
ip address 10.100.241.100 255.255.255.0
interface TenGigabitEthernet1/2/0
ip address 10.255.0.1 255.255.255.240
cdp enable
crypto map zuoyb
ip route 0.0.0.0 0.0.0.0 10.255.0.4 100 name test-vpn
ip route vrf VIP3112 0.0.0.0 0.0.0.0 10.255.0.4 global
access-list 112 permit ip 10.100.241.0 0.0.0.255 192.168.1.0 0.0.0.255

------------------------------------------------------------------------------------------
ASR1006-2#

crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 20
crypto isakmp profile vip3112
   keyring vip3112
   match identity address 10.255.0.1 255.255.255.255
crypto ipsec transform-set zuoyb esp-des esp-md5-hmac
mode tunnel
crypto map zuoyb 10 ipsec-isakmp
set peer 10.255.0.1
set transform-set zuoyb
match address 112
interface Loopback0
ip address 192.168.1.100 255.255.255.0
interface TenGigabitEthernet1/2/0
ip address 10.255.0.4 255.255.255.240
cdp enable
crypto map zuoyb
ip route 0.0.0.0 0.0.0.0 10.255.0.1
ip route 192.168.1.0 255.255.255.0 10.110.10.253
access-list 112 permit ip 192.168.1.0 0.0.0.255 10.100.241.0 0.0.0.255