[nsp] IPSec + MPLS

From: Manpreet Singh (singh@ispsoft.com)
Date: Mon Jun 03 2002 - 16:51:02 EDT


Hi all,
     I am trying to configure MPLS and IPSec in the following fashion

    Bern(3640, MPLS+IPSec
Image)------------------Prague(3620)------------------Torino(3620, IPSec
Image).

I want to have IPSec connection from Torino to Bern. I also want to run
ospf as the PE-CE Routing protocol. Hence i
Used GRE to do so. It seems that OSPF work well over GRE if there is no
VRF configuration in Bern. Once i configure
VRF on Bern, OSPF state goes down. I tried configuring "ip vrf
forwarding" on GRE tunnel interface too. That too doesn't
help.

Do i need to enable "ip vrf forwarding" on the tunnel interface ?

My VPN routed are getting to Bern from other PE routers. but they are
not getting re-distributed to OSPF, because OSPF is down.
I have attached the config files of Bern and Torino.

-Thanks in Advance.
 Manpreet

torino#sh run
Building configuration...

Current configuration : 1924 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname torino
!
boot system flash c3620-js-mz.122-2.T.bin
boot system flash c3620-jk9s-mz.122-2.T.bin
logging rate-limit console 10 except errors
enable password rtrConfig
!
!
!
ip subnet-zero
!
!
ip name-server 192.168.12.200
!
ip cef
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
tag-switching ip default-route
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key F6BDD41FDFC48EACD9806921A7E9C3E0 address 150.13.0.1
!
!
crypto ipsec transform-set DESMD5-HMAC esp-des esp-md5-hmac
!
crypto map ethernet1/1Map 10 ipsec-isakmp
 set peer 150.13.0.1
 set security-association lifetime kilobytes 2560
 set security-association lifetime seconds 86400
 set transform-set DESMD5-HMAC
 match address 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback1
 ip address 172.33.10.1 255.255.255.255
!
interface Tunnel0
 ip address 11.101.0.2 255.255.255.252
 ip ospf network point-to-point
 tunnel source Ethernet1/1
 tunnel destination 150.13.0.1
 crypto map ethernet1/1Map
!
interface Ethernet1/0
 ip address 192.168.10.30 255.255.255.0
 half-duplex
!
interface Serial1/0
 no ip address
 encapsulation frame-relay
 no keepalive
!
interface Ethernet1/1
 ip address 150.10.0.2 255.255.255.252
 half-duplex
 crypto map ethernet1/1Map
!
router ospf 10
 domain-id 6.6.6.6
 log-adjacency-changes
 network 11.101.0.0 0.0.0.3 area 0
 network 172.33.10.0 0.0.0.255 area 0
!
ip classless
ip route 150.13.0.1 255.255.255.255 150.10.0.1
ip route 192.168.0.0 255.255.0.0 192.168.10.1
ip http server
!
access-list 100 permit gre host 150.10.0.2 host 150.13.0.1
!
!
!
snmp-server manager
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password rtrconfig
 login
!
!
end

sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.10.0/24 is directly connected, Ethernet1/0
     172.33.0.0/32 is subnetted, 1 subnets
C 172.33.10.1 is directly connected, Loopback1
     11.0.0.0/30 is subnetted, 1 subnets
C 11.101.0.0 is directly connected, Tunnel0
     150.10.0.0/30 is subnetted, 1 subnets
C 150.10.0.0 is directly connected, Ethernet1/1
     150.13.0.0/32 is subnetted, 1 subnets
S 150.13.0.1 [1/0] via 150.10.0.1
S 192.168.0.0/16 [1/0] via 192.168.10.1

Bern#sh run
Building configuration...

Current configuration : 2959 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname Bern
!
boot system flash c3640-js-mz.122-8.T.bin
boot system flash c3640-jk9s-mz.122-2.T.bin
logging rate-limit console 10 except errors
enable secret level 1 5 $1$6jbP$HZ7TwMJMkybcExKjzcRnf/
enable secret 5 $1$sDpE$d5kTX2xLPwZOf7.YlDegP1
enable password ***
!
!
!
ip subnet-zero
!
!
!
!
ip vrf Hub-1
 rd 100:10
 route-target export 100:5308
 route-target import 100:5308
 route-target import 100:5309
ip cef
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key F6BDD41FDFC48EACD9806921A7E9C3E0 address 150.10.0.2
!
!
crypto ipsec transform-set DESMD5-HMAC esp-des esp-md5-hmac
!
crypto map serial1/0.1Map 10 ipsec-isakmp
 set peer 150.10.0.2
 set security-association lifetime kilobytes 2560
 set security-association lifetime seconds 86400
 set transform-set DESMD5-HMAC
 match address 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 210.0.0.9 255.255.255.255
!
interface Tunnel0
 ip vrf forwarding Hub-1
 ip address 11.101.0.1 255.255.255.252
 ip ospf network point-to-point
 tunnel source Serial1/0.1
 tunnel destination 150.10.0.2
 crypto map serial1/0.1Map
!
interface Ethernet1/0
 ip address 192.168.10.47 255.255.255.0
 half-duplex
 no mop enabled
!
interface Serial1/0
 no ip address
 encapsulation frame-relay
 no keepalive
 clockrate 1300000
!
interface Serial1/0.1 point-to-point
 ip vrf forwarding Hub-1
 ip address 150.13.0.1 255.255.255.252
 frame-relay interface-dlci 300
 crypto map serial1/0.1Map
!
interface Ethernet1/1
 description denver
 ip address 120.0.0.1 255.255.255.0
 half-duplex
 tag-switching ip
!
interface Serial1/1
 no ip address
 shutdown
!
router ospf 20
 log-adjacency-changes
 network 120.0.0.0 0.255.255.255 area 0
 network 210.0.0.0 0.255.255.255 area 0
!
router ospf 10 vrf Hub-1
 log-adjacency-changes
 redistribute bgp 2 subnets
 network 11.101.0.0 0.0.0.255 area 0
!
router bgp 2
 no synchronization
 bgp log-neighbor-changes
 neighbor 210.0.0.8 remote-as 2
 neighbor 210.0.0.8 update-source Loopback0
 no auto-summary
 !
 address-family ipv4 vrf Hub-1
 redistribute ospf 10
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family vpnv4
 neighbor 210.0.0.8 activate
 neighbor 210.0.0.8 send-community extended
 no auto-summary
 exit-address-family
!
ip classless
ip route 150.10.0.2 255.255.255.255 150.13.0.2
ip route 192.168.0.0 255.255.0.0 192.168.10.1
ip route vrf Hub-1 150.10.0.2 255.255.255.255 Serial1/0.1
no ip http server
!
access-list 100 permit gre host 150.13.0.1 host 150.10.0.2
!
!
!
snmp-server community public RO
snmp-server manager
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password rtrconfig
 login
!
!
end

sh ip route vrf Hub-1
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     2.0.0.0/30 is subnetted, 1 subnets
B 2.6.2.0 [200/0] via 210.0.0.3, 00:11:04
     150.10.0.0/32 is subnetted, 1 subnets
S 150.10.0.2 is directly connected, Serial1/0.1
     150.13.0.0/30 is subnetted, 1 subnets
C 150.13.0.0 is directly connected, Serial1/0.1



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:46 EDT