[c-nsp] IPSec to MPLS VPN

Kristofer Sigurdsson kristosig at gmail.com
Tue Apr 25 09:33:52 EDT 2006


I tried to send this mail last week, but apperantly, it didn't make it
to the list, trying again...

Hi,

I'm trying to setup IPSec access to an MPLS VPN via an 1841 router's
EasyVPN server.  The router is connected via one interface, which is
the routers general uplink, for both MPLS stuff and clients coming in
from various places.

So, to sum it up, users are supposed to VPN into the box and get put
in a VRF, which is a part of an MPLS VPN.  I've got most of it
working, I can VPN (via IPSec) to the box, I can ping between the box
and the client.  Also, the MPLS VPN is working, other routers on the
network can ping a loopback on the 1841, which is in that VRF, the
1841 can ping other addresses in the MPLS VPN.

The problem, however, is that the VPN clients cannot reach anything
beyond the 1841.  The route is redistributed, I can see that via "show
ip route vrf FOO <ip>" on the other routers, but no traffic is passed.
 Traceroute goes nowhere (just asterisks).

On a related note, the direct uplink router from the 1841, a 7301,
marks the routes with "MPLS Required" when I do a "show ip route vrf
FOO <ipaddress>", but it still works for the addresses on the 1841,
but not for it's clients.

Please tell me this is not an example of Cisco's silly "you can't go
out the same interface you came in through" IPSec rule?

Thanks,
Kristo



More information about the cisco-nsp mailing list