Legacy IKEv1 Crypto Map VPN with VRFs

I recently needed to tie an old Cisco Small Business router from a partner company into our VPN topology. Unfortunately, I didn't have access to the router on the other side and it only supported legacy IKEv1 (isakmp) crypto map style VPN tunnels. After a little research, I found a great blog post from Nicolas Meesen which details how to do this in most situations, and is definitely worth a read. Unfortunately, my scenario with the FVRF being an internet vrf, and the IVRF being the global VRF will not work with just his configuration. I was actually able to use Policy Based Routing to direct traffic to the correct VRF and achieve the desired result. I previously outlined how to use PBRs to route traffic between VRFs in a previous blog post, with the main difference in this scenario being that I also had to put a routing policy on the inside interface that would move the outbound traffic for this tunnel to the correct FVRF.

Here is the specific commands that must be added to the configuration for routing to work in this scenario (full config below).

FVRF to IVRF Routing Config:

! ACL for WAN1 to Global (This matches all private destination IPs. You only need to match traffic that would be coming from the peer to get the VPN to work)
ip access-list extended VRF_TO_GLOBAL_ACL
 permit ip any 10.0.0.0 0.255.255.255
 permit ip any 172.0.0.0 0.240.255.255
 permit ip any 192.168.0.0 0.0.255.255
!
! Route-map for WAN1 to Global
route-map VRF_TO_GLOBAL permit 10
 match ip address VRF_TO_GLOBAL_ACL
 set global
!
! Tie WAN1 to Global PBR to the inside interface
int GigabitEthernet0/0
 ip policy route-map VRF_TO_GLOBAL

IVRF to FVRF Routing Config:

! ACL for Global to WAN1
ip access-list extended GLOBAL_TO_WAN1_ACL
 permit ip any 192.168.10.0 0.0.0.255
!
! Route-map for Global to WAN1
route-map GLOBAL_TO_WAN1_VRF permit 10
 match ip address GLOBAL_TO_WAN1_ACL
 set vrf WAN1
!
! Tie Global to WAN1 PBR to the inside interface
int GigabitEthernet0/0
 ip policy route-map GLOBAL_TO_WAN1_VRF

Full Config:

!!! VPN Configuration
! Make isakmp policy
crypto isakmp policy 10
 encryption aes 256
 hash sha
 authentication pre-share
 group 5
 lifetime 28800
!
! Set isakmp identity to use the IP of the interface
crypto isakmp identity address
!
! Make the transform set
crypto ipsec transform-set SITE1_TRAN esp-aes 256 esp-sha-hmac
 mode tunnel
!
! Make the crypto map
crypto map SITE1_CRYPTO_MAP 10 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set SITE1_TRAN
 match address 110
 set pfs group5
 reverse-route
!
! Apply the crypto map to the interface
interface Dialer1
 crypto map SITE1_CRYPTO_MAP
!
! Remake NAT ACL with a deny entry for traffic to SITE1 network (192.168.10.0/24) from the hub subnets
no ip access-list extended WAN1_NAT_ACL
ip access-list extended WAN1_NAT_ACL
 deny ip object-group WAN_NAT_EXCLUSIONS any
 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
 deny ip 10.0.0.0 0.0.255.255 192.168.10.0 0.0.0.255
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
 permit ip 172.16.0.0 0.15.255.255 any
!
! Make ACL to match traffic to SITE1 and put it through the crypto map
access-list 110 remark SITE1 Traffic to encrypt
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 10.0.0.0 0.0.255.255 192.168.10.0 0.0.0.255
!
! Tie the peer to the VRF
crypto isakmp peer address 2.2.2.2 vrf WAN1
 description SITE1 Peer
!
! Make the isakmp profile to match the peer and tell it to use VRF WAN1
crypto isakmp profile SITE1_VPN
 vrf WAN1
 keyring SITE1_VPN
 isakmp authorization list default
 match identity address 2.2.2.2 255.255.255.255 WAN1
!
! Make the keyring and add the peer preshared key
crypto keyring SITE1_VPN vrf WAN1
 pre-shared-key address 2.2.2.2 key pre$harekey_1
!
!!!Routing Configuration
! ACL for Global to WAN1
ip access-list extended GLOBAL_TO_WAN1_ACL
 permit ip any 192.168.10.0 0.0.0.255
!
! Route-map for Global to WAN1
route-map GLOBAL_TO_WAN1_VRF permit 10
 match ip address GLOBAL_TO_WAN1_ACL
 set vrf WAN1
!
! Tie Global to WAN1 PBR to the inside interface
int GigabitEthernet0/0
 ip policy route-map GLOBAL_TO_WAN1_VRF
!
! ACL for WAN1 to Global
ip access-list extended VRF_TO_GLOBAL_ACL
 permit ip any 10.0.0.0 0.255.255.255
 permit ip any 172.0.0.0 0.240.255.255
 permit ip any 192.168.0.0 0.0.255.255
!
! Route-map for WAN1 to Global
route-map VRF_TO_GLOBAL permit 10
 match ip address VRF_TO_GLOBAL_ACL
 set global
!
! Tie WAN1 to Global PBR to the inside interface
int GigabitEthernet0/0
 ip policy route-map VRF_TO_GLOBAL