[c-nsp] MPLS and IPSEC co-working (reviving an old thread)

Christopher Hunt chunt at reachone.com
Sun Oct 5 15:00:58 EDT 2008 

For simplicity's sake let's say that i have 2 7206VXRs running 
advip-12.4(9)T2. They're in separate cities, each has a direct Internet 
feed plus a L2 feed between them. Each one is a PE, and running L3VPNs 
for customers. I use OSPF as an IGP. Everything's working great, but I 
want to build VPN failover in case the L2 feed between them goes down.

Since the backup is a L3 service, MPLSoGRE seems the best option for me. 
  At the same time, I want to encrypt ***at least the customer vrf 
traffic*** when it uses the L3 MPLSoGRE path.  I'm no wiz with IPSec 
unfortunately an am struggling to understand the process.

I've got the GRE Tunnels up and failing over but can't seem to 
understand how to encrypt the customer data.  See attached configs. 
Anyone have any pointers?  See 
http://markmail.org/message/lob467v2oxc6my5x for original thread


onward through the fog,
Christopher Hunt

-------- Original Message --------
Subject:	[c-nsp] MPLS and IPSEC co-workingLink to this message
From:	Oliver Boehmer (oboehmer) (oboe... at cisco.com)
Date:	08/16/2007 09:31:25 AM
List:	net.nether.puck.cisco-nsp

 >Andris Zarins <> wrote on Thursday, August 16, 2007 1:44 PM:
 >
 >Hi,
 >
 >Network setup is pretty trivial - three routers running MPLS (LDP 
 >full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is 
 >asking to secure that infrastructure by running IPSEC (3DES). As far 
 >as I know, I can not run LDP over Tunnel interfaces, and crypto-maps 
 >will not help also. Concept of running IPSEC between CPEs doesn't 
 >make sense, as there are no CPEs :(
 >
 >Question is - is VRF-Lite plus back-to-back connectivity, like option 
 >A for inter AS MPLS, the only viable option I have, or Im missing 
 >something and there are other, more scalable ways to do it?
>
well, you can run MPLSoGRE at least on SW-based platforms (like the 
7200), haven't checked for 6500/7600 or GSR.. You could also use 
BGP-L3VPN over L2TPv3 and then encrypt the L2TPv3 traffic using 
crypto-maps..

Not a complete solution, I know..

oli

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: MPLSoGRE-san.txt
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081005/3df34943/attachment.txt>

More information about the cisco-nsp mailing list