[c-nsp] [Fwd: Re: MPLS and IPSEC co-working (reviving an old thread)]

Christopher Hunt chunt at reachone.com
Sat Oct 18 15:37:54 EDT 2008


Luan,
	To recap: applying an IPSEC crypto-map to the WAN physical interface 
works, but applying IPSEC to Tunnel Protection breaks end-to-end vrf 
connections.  I have a feeling it is a combination of these two 
statements from Cisco:

from 
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml:
"There are two key differences between when you use a crypto-map and 
when you use tunnel protection:
     *The IPSec crypto-map is tied to the physical interface and is 
checked as packets are forwarded out the physical interface. Note: The 
GRE tunnel has already GRE encapsulated the packet by this point.
     *Tunnel protection ties the encryption functionality to the GRE 
tunnel and is checked after the packet is GRE encapsulated but before 
the packet is handed to the physical interface."

and from 
http://www.cisco-ri.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/ngwanearch.html#wp1000241:
" currently there are no mechanisms that allow for encryption of 
labelled packets. "


So I'll stick with crypto-maps for now.  I'm definitely looking into the 
very interesting link you provided re: GET-VPN.  Thanks again...

Christopher Hunt
ReachONE Internet, Inc.
(360)456-5640
http://www.reachone.com

-------- Original Message --------
Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread)
Date: Fri, 17 Oct 2008 16:27:51 -0700
From: Christopher Hunt <chunt at reachone.com>
To: Luan Nguyen <luan at netcraftsmen.net>
CC: 'cisco-nsp' <cisco-nsp at puck.nether.net>
References: <48E90EEA.5090305 at reachone.com> 
<001501c9275a$3f35f350$bda1d9f0$@net>

Luan,
Thanks for your excellent and detailed reply.  I was able to get the
tunnels up and passing encrypted traffic (after adding the "tunnel mode
ipsec ipv4" command to the tunnel).  LDP and OSPF came right up too.
The interesting bit is that I have no end-to-end vrf connectivity.  In
other words:

CORE-DIA-1#sh ip ro vrf CustA

Routing Table: CustA
.....
Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 2 subnets
B       10.1.1.1 [200/0] via 192.168.255.252, 00:23:06
C       10.0.0.1 is directly connected, Loopback100

CORE-DIA-1#ping vrf CustA 10.1.1.1 source 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
.....
Success rate is 0 percent (0/5)

CORE-DIA-1#sho ip ro 192.168.255.252
Routing entry for 192.168.252/32
   Known via "ospf 100", distance 110, metric 11112, type intra area
   Last update from 10.0.0.2 on Tunnel0, 00:02:34 ago
   Routing Descriptor Blocks:
   * 10.0.0.2, from 192.168.255.252, 00:02:34 ago, via Tunnel0
       Route metric is 11112, traffic share count is 1


      It worked until i added the "tunnel protection ipsec profile foo"
bit.  I can still ping loopbacks etc. in the Default-IP-Routing-Table. I
had it working in an alternate config, with a crypto map applied to the
physical interface that is the tunnel-source. Any idea why this might be?

Christopher Hunt
ReachONE Internet, Inc.
(360)456-5640
http://www.reachone.com

Luan Nguyen wrote:
> You could encrypt the GRE tunnel.  Everything traverse the tunnel will get
> encrypted.
> On CORE-DIA-1
> 
> crypto isakmp policy 10
>  encr aes 256
>  authentication pre-share
>  group 5
> crypto isakmp key cisco address 172.16.0.98
> crypto isakmp keepalive 10 4 periodic
> !
> !
> crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac
>  mode transport
> !
> crypto ipsec profile foo
>  set transform-set TEST
>  set pfs group5
> !
> !
> interface Tunnel0
>  ip address 10.0.0.2 255.255.255.252
>  ip mtu 1420  
>  ip tcp adjust-mss 1436
>  mpls ip
>  mpls mtu 1508
>  keepalive 1 3
>  tunnel source FastEthernet0/0
>  tunnel destination 172.16.0.98
>  tunnel protection ipsec profile foo
> 
> Just the reverse on the other side.
> 
> You, and the original poster, could do IPSEC encryption between CEs of the
> MPLS VPN by using GET-VPN (if don't want to do that encrypted L2TPv3
> suggestion :))
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7
> 180/product_data_sheet0900aecd80582067.html.  
> The CE-to-CE routing remains the same, with added security.
> 
> 
> ----------------------------------------------------------------------------
> -------------------------------------------------------------------------
> Luan Nguyen
> Chesapeake NetCraftsmen, LLC.
> www.NetCraftsmen.net
> ----------------------------------------------------------------------------
> -------------------------------------------------------------------------
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christopher Hunt
> Sent: Sunday, October 05, 2008 3:01 PM
> To: cisco-nsp
> Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread)
> 
> For simplicity's sake let's say that i have 2 7206VXRs running
> advip-12.4(9)T2. They're in separate cities, each has a direct Internet feed
> plus a L2 feed between them. Each one is a PE, and running L3VPNs for
> customers. I use OSPF as an IGP. Everything's working great, but I want to
> build VPN failover in case the L2 feed between them goes down.
> 
> Since the backup is a L3 service, MPLSoGRE seems the best option for me. 
>   At the same time, I want to encrypt ***at least the customer vrf
> traffic*** when it uses the L3 MPLSoGRE path.  I'm no wiz with IPSec
> unfortunately an am struggling to understand the process.
> 
> I've got the GRE Tunnels up and failing over but can't seem to understand
> how to encrypt the customer data.  See attached configs. 
> Anyone have any pointers?  See
> http://markmail.org/message/lob467v2oxc6my5x for original thread
> 
> 
> onward through the fog,
> Christopher Hunt
> 
> -------- Original Message --------
> Subject:	[c-nsp] MPLS and IPSEC co-workingLink to this message
> From:	Oliver Boehmer (oboehmer) (oboe... at cisco.com)
> Date:	08/16/2007 09:31:25 AM
> List:	net.nether.puck.cisco-nsp
> 
>  >Andris Zarins <> wrote on Thursday, August 16, 2007 1:44 PM:
>  >
>  >Hi,
>  >
>  >Network setup is pretty trivial - three routers running MPLS (LDP
>  >full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is
>> asking to secure that infrastructure by running IPSEC (3DES). As far  >as I
> know, I can not run LDP over Tunnel interfaces, and crypto-maps  >will not
> help also. Concept of running IPSEC between CPEs doesn't  >make sense, as
> there are no CPEs :(  >  >Question is - is VRF-Lite plus back-to-back
> connectivity, like option  >A for inter AS MPLS, the only viable option I
> have, or Im missing  >something and there are other, more scalable ways to
> do it?
> well, you can run MPLSoGRE at least on SW-based platforms (like the 7200),
> haven't checked for 6500/7600 or GSR.. You could also use BGP-L3VPN over
> L2TPv3 and then encrypt the L2TPv3 traffic using crypto-maps..
> 
> Not a complete solution, I know..
> 
> oli
> 
> 


-- 
Christopher Hunt
ReachONE Internet, Inc.
(360)456-5640
http://www.reachone.com


More information about the cisco-nsp mailing list