[c-nsp] MPLS and IPSEC co-working (reviving an old thread)

Luan Nguyen luan at netcraftsmen.net
Sun Oct 5 22:21:31 EDT 2008


You could encrypt the GRE tunnel.  Everything traverse the tunnel will get
encrypted.
On CORE-DIA-1

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key cisco address 172.16.0.98
crypto isakmp keepalive 10 4 periodic
!
!
crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile foo
 set transform-set TEST
 set pfs group5
!
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.252
 ip mtu 1420  
 ip tcp adjust-mss 1436
 mpls ip
 mpls mtu 1508
 keepalive 1 3
 tunnel source FastEthernet0/0
 tunnel destination 172.16.0.98
 tunnel protection ipsec profile foo

Just the reverse on the other side.

You, and the original poster, could do IPSEC encryption between CEs of the
MPLS VPN by using GET-VPN (if don't want to do that encrypted L2TPv3
suggestion :))
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7
180/product_data_sheet0900aecd80582067.html.  
The CE-to-CE routing remains the same, with added security.


----------------------------------------------------------------------------
-------------------------------------------------------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net
----------------------------------------------------------------------------
-------------------------------------------------------------------------

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christopher Hunt
Sent: Sunday, October 05, 2008 3:01 PM
To: cisco-nsp
Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread)

For simplicity's sake let's say that i have 2 7206VXRs running
advip-12.4(9)T2. They're in separate cities, each has a direct Internet feed
plus a L2 feed between them. Each one is a PE, and running L3VPNs for
customers. I use OSPF as an IGP. Everything's working great, but I want to
build VPN failover in case the L2 feed between them goes down.

Since the backup is a L3 service, MPLSoGRE seems the best option for me. 
  At the same time, I want to encrypt ***at least the customer vrf
traffic*** when it uses the L3 MPLSoGRE path.  I'm no wiz with IPSec
unfortunately an am struggling to understand the process.

I've got the GRE Tunnels up and failing over but can't seem to understand
how to encrypt the customer data.  See attached configs. 
Anyone have any pointers?  See
http://markmail.org/message/lob467v2oxc6my5x for original thread


onward through the fog,
Christopher Hunt

-------- Original Message --------
Subject:	[c-nsp] MPLS and IPSEC co-workingLink to this message
From:	Oliver Boehmer (oboehmer) (oboe... at cisco.com)
Date:	08/16/2007 09:31:25 AM
List:	net.nether.puck.cisco-nsp

 >Andris Zarins <> wrote on Thursday, August 16, 2007 1:44 PM:
 >
 >Hi,
 >
 >Network setup is pretty trivial - three routers running MPLS (LDP
 >full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is
>asking to secure that infrastructure by running IPSEC (3DES). As far  >as I
know, I can not run LDP over Tunnel interfaces, and crypto-maps  >will not
help also. Concept of running IPSEC between CPEs doesn't  >make sense, as
there are no CPEs :(  >  >Question is - is VRF-Lite plus back-to-back
connectivity, like option  >A for inter AS MPLS, the only viable option I
have, or Im missing  >something and there are other, more scalable ways to
do it?
>
well, you can run MPLSoGRE at least on SW-based platforms (like the 7200),
haven't checked for 6500/7600 or GSR.. You could also use BGP-L3VPN over
L2TPv3 and then encrypt the L2TPv3 traffic using crypto-maps..

Not a complete solution, I know..

oli




More information about the cisco-nsp mailing list