[c-nsp] IPSec to MPLS VPN

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Tue Apr 25 12:56:28 EDT 2006


Kristofer Sigurdsson <mailto:kristosig at gmail.com> wrote on Tuesday,
April 25, 2006 5:57 PM:

> Hi,
> 
>> I have never used MPLS on the 1841, but on other platforms there is
>> (almost) nothing wrong running such a setup "on-a-stick", i.e. having
>> "crypto map" and "mpls ip" on the same interface. The only caveat is
> 
> I do remember trying to implement a solution on a 7200 a couple of
> years ago, where the IPSec clients came in from wherever and were
> supposed to be able to go anywhere (i.e. they could browse the general
> Internet through us, even though they were connected to the Internet
> via some other provider).  This did not work because IOS wouldn't
> allow traffic to exit the router on the same interface as it came in
> on.  If I remember correctly, we were using some 12.3T variant.
> According to Cisco TAC, this could not be done.  Has this been
> changed, or is that not applicable in this scenerio?

I am not an IPSec expert, but I can't recall such a restriction in IOS.
Can you send me the TAC SR# so I can take a look (might take some time).
But even if there was, this doesn't apply to your setup as the traffic
will terminate in the vrf.

>> I am not sure if this has ever been tested on the low-end devices
>> like the 1841. Can you check your config on a different platform
>> (7200/7301, etc.)?
> 
> I do have a 7301 and a 2851 in my lab, I'll give it a go tomorrow.

Yes, please check on the 7301.. if it still doesn't work, a config would
help.. Please check a recent 12.3(14)T rebuild or 12.4..

	oli



More information about the cisco-nsp mailing list