[c-nsp] IPSec to MPLS VPN
Kristofer Sigurdsson
kristosig at gmail.com
Tue Apr 25 11:13:02 EDT 2006
To clearify: What I'm probably looking for is something similar to
"same-security-traffic permit inter-interface", which can be found on
the ASA's, in IOS for the 1841 router.
2006/4/25, Kristofer Sigurdsson <kristosig at gmail.com>:
> I tried to send this mail last week, but apperantly, it didn't make it
> to the list, trying again...
>
> Hi,
>
> I'm trying to setup IPSec access to an MPLS VPN via an 1841 router's
> EasyVPN server. The router is connected via one interface, which is
> the routers general uplink, for both MPLS stuff and clients coming in
> from various places.
>
> So, to sum it up, users are supposed to VPN into the box and get put
> in a VRF, which is a part of an MPLS VPN. I've got most of it
> working, I can VPN (via IPSec) to the box, I can ping between the box
> and the client. Also, the MPLS VPN is working, other routers on the
> network can ping a loopback on the 1841, which is in that VRF, the
> 1841 can ping other addresses in the MPLS VPN.
>
> The problem, however, is that the VPN clients cannot reach anything
> beyond the 1841. The route is redistributed, I can see that via "show
> ip route vrf FOO <ip>" on the other routers, but no traffic is passed.
> Traceroute goes nowhere (just asterisks).
>
> On a related note, the direct uplink router from the 1841, a 7301,
> marks the routes with "MPLS Required" when I do a "show ip route vrf
> FOO <ipaddress>", but it still works for the addresses on the 1841,
> but not for it's clients.
>
> Please tell me this is not an example of Cisco's silly "you can't go
> out the same interface you came in through" IPSec rule?
>
> Thanks,
> Kristo
>
More information about the cisco-nsp
mailing list