[c-nsp] IPSec crypto map on MPLS enabled interface?
Peter Rathlev
peter at rathlev.dk
Thu Mar 18 15:24:34 EDT 2010
On Thu, 2010-03-18 at 12:12 +0100, Peter Rathlev wrote:
> Would anyone happen to have a working config for VTI tunnelling using
> GRE and working on MPLS enabled interfaces on a 7200?
Ah, I couldn't see the forest for the trees! :-)
VTI isn't the right answer at all. VTI isn't GRE (actually most
documentation I found point out how this is an advantage, saving at
least 4 bytes MTU) and thus cannot be used in this example.
OTOH the "tunnel protection", i.e. the alternative to using a crypto
map, is exactly what I needed. I have the setup working now with traffic
entering and exiting via an MPLS link.
I ended up with the following configuration, assuming my end is
198.51.100.7 and the remote end is 192.0.2.5:
! *** R1 ***
interface Loopback3126
ip vrf forwarding FVRF
ip address 198.51.100.7 255.255.255.255
!
crypto keyring TEST_KEYRING vrf FVRF
pre-shared-key address 192.0.2.5 key asdf
!
crypto isakmp profile TEST_ISAKMP_PROFILE
keyring TEST_KEYRING
match identity address 192.0.2.5 255.255.255.255 FVRF
!
crypto ipsec profile TEST_IPSEC_PROFILE
set transform-set AES256-MD5
set isakmp-profile TEST_ISAKMP_PROFILE
!
interface Tunnel100
ip vrf forwarding iVRF
ip address 10.0.0.1 255.255.255.252
tunnel source Loopback3126
tunnel destination 192.0.2.5
tunnel mode gre ip ! (This is the default)
tunnel vrf FVRF
tunnel protection ipsec profile TEST_IPSEC_PROFILE
exit
!
This is also a somewhat simpler configuration compared to the crypto map
version.
--
Peter
More information about the cisco-nsp
mailing list