[c-nsp] MPLS and IPSEC co-working (reviving an old thread)

Christopher Hunt chunt at reachone.com
Fri Oct 17 19:27:51 EDT 2008 

Luan,
Thanks for your excellent and detailed reply.  I was able to get the 
tunnels up and passing encrypted traffic (after adding the "tunnel mode 
ipsec ipv4" command to the tunnel).  LDP and OSPF came right up too. 
The interesting bit is that I have no end-to-end vrf connectivity.  In 
other words:

CORE-DIA-1#sh ip ro vrf CustA

Routing Table: CustA
.....
Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 2 subnets
B       10.1.1.1 [200/0] via 192.168.255.252, 00:23:06
C       10.0.0.1 is directly connected, Loopback100

CORE-DIA-1#ping vrf CustA 10.1.1.1 source 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
.....
Success rate is 0 percent (0/5)

CORE-DIA-1#sho ip ro 192.168.255.252
Routing entry for 192.168.252/32
   Known via "ospf 100", distance 110, metric 11112, type intra area
   Last update from 10.0.0.2 on Tunnel0, 00:02:34 ago
   Routing Descriptor Blocks:
   * 10.0.0.2, from 192.168.255.252, 00:02:34 ago, via Tunnel0
       Route metric is 11112, traffic share count is 1


      It worked until i added the "tunnel protection ipsec profile foo" 
bit.  I can still ping loopbacks etc. in the Default-IP-Routing-Table. I 
had it working in an alternate config, with a crypto map applied to the 
physical interface that is the tunnel-source. Any idea why this might be?

Christopher Hunt
ReachONE Internet, Inc.
(360)456-5640
http://www.reachone.com

Luan Nguyen wrote:
> You could encrypt the GRE tunnel.  Everything traverse the tunnel will get
> encrypted.
> On CORE-DIA-1
> 
> crypto isakmp policy 10
>  encr aes 256
>  authentication pre-share
>  group 5
> crypto isakmp key cisco address 172.16.0.98
> crypto isakmp keepalive 10 4 periodic
> !
> !
> crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac
>  mode transport
> !
> crypto ipsec profile foo
>  set transform-set TEST
>  set pfs group5
> !
> !
> interface Tunnel0
>  ip address 10.0.0.2 255.255.255.252
>  ip mtu 1420  
>  ip tcp adjust-mss 1436
>  mpls ip
>  mpls mtu 1508
>  keepalive 1 3
>  tunnel source FastEthernet0/0
>  tunnel destination 172.16.0.98
>  tunnel protection ipsec profile foo
> 
> Just the reverse on the other side.
> 
> You, and the original poster, could do IPSEC encryption between CEs of the
> MPLS VPN by using GET-VPN (if don't want to do that encrypted L2TPv3
> suggestion :))
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7
> 180/product_data_sheet0900aecd80582067.html.  
> The CE-to-CE routing remains the same, with added security.
> 
> 
> ----------------------------------------------------------------------------
> -------------------------------------------------------------------------
> Luan Nguyen
> Chesapeake NetCraftsmen, LLC.
> www.NetCraftsmen.net
> ----------------------------------------------------------------------------
> -------------------------------------------------------------------------
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christopher Hunt
> Sent: Sunday, October 05, 2008 3:01 PM
> To: cisco-nsp
> Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread)
> 
> For simplicity's sake let's say that i have 2 7206VXRs running
> advip-12.4(9)T2. They're in separate cities, each has a direct Internet feed
> plus a L2 feed between them. Each one is a PE, and running L3VPNs for
> customers. I use OSPF as an IGP. Everything's working great, but I want to
> build VPN failover in case the L2 feed between them goes down.
> 
> Since the backup is a L3 service, MPLSoGRE seems the best option for me. 
>   At the same time, I want to encrypt ***at least the customer vrf
> traffic*** when it uses the L3 MPLSoGRE path.  I'm no wiz with IPSec
> unfortunately an am struggling to understand the process.
> 
> I've got the GRE Tunnels up and failing over but can't seem to understand
> how to encrypt the customer data.  See attached configs. 
> Anyone have any pointers?  See
> http://markmail.org/message/lob467v2oxc6my5x for original thread
> 
> 
> onward through the fog,
> Christopher Hunt
> 
> -------- Original Message --------
> Subject:	[c-nsp] MPLS and IPSEC co-workingLink to this message
> From:	Oliver Boehmer (oboehmer) (oboe... at cisco.com)
> Date:	08/16/2007 09:31:25 AM
> List:	net.nether.puck.cisco-nsp
> 
>  >Andris Zarins <> wrote on Thursday, August 16, 2007 1:44 PM:
>  >
>  >Hi,
>  >
>  >Network setup is pretty trivial - three routers running MPLS (LDP
>  >full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is
>> asking to secure that infrastructure by running IPSEC (3DES). As far  >as I
> know, I can not run LDP over Tunnel interfaces, and crypto-maps  >will not
> help also. Concept of running IPSEC between CPEs doesn't  >make sense, as
> there are no CPEs :(  >  >Question is - is VRF-Lite plus back-to-back
> connectivity, like option  >A for inter AS MPLS, the only viable option I
> have, or Im missing  >something and there are other, more scalable ways to
> do it?
> well, you can run MPLSoGRE at least on SW-based platforms (like the 7200),
> haven't checked for 6500/7600 or GSR.. You could also use BGP-L3VPN over
> L2TPv3 and then encrypt the L2TPv3 traffic using crypto-maps..
> 
> Not a complete solution, I know..
> 
> oli
> 
>

More information about the cisco-nsp mailing list