[c-nsp] IPSec to MPLS VPN

Kristofer Sigurdsson kristosig at gmail.com
Tue Apr 25 11:57:12 EDT 2006


Hi,

> I have never used MPLS on the 1841, but on other platforms there is
> (almost) nothing wrong running such a setup "on-a-stick", i.e. having
> "crypto map" and "mpls ip" on the same interface. The only caveat is

I do remember trying to implement a solution on a 7200 a couple of
years ago, where the IPSec clients came in from wherever and were
supposed to be able to go anywhere (i.e. they could browse the general
Internet through us, even though they were connected to the Internet
via some other provider).  This did not work because IOS wouldn't
allow traffic to exit the router on the same interface as it came in
on.  If I remember correctly, we were using some 12.3T variant. 
According to Cisco TAC, this could not be done.  Has this been
changed, or is that not applicable in this scenerio?

> that IOS can't encrypt and tag-encapsulate the packets at the same time,
> i.e. the encrypted packets (those in the global routing context) back to
> your IPSec peer will not be tag-switched but rather sent as IP, so your
> next-hop needs to encapsulate them into MPLS (if desired).

I can live with that - I just need plain IP connectivity to my IPSec peers.

>
> I am not sure if this has ever been tested on the low-end devices like
> the 1841. Can you check your config on a different platform (7200/7301,
> etc.)?

I do have a 7301 and a 2851 in my lab, I'll give it a go tomorrow.

Thanks a lot for your insight on the problem.

-Kristo



More information about the cisco-nsp mailing list