[c-nsp] IPSec crypto map on MPLS enabled interface?

Phil Mayers p.mayers at imperial.ac.uk
Mon Mar 8 11:18:13 EST 2010


On 08/03/10 15:27, Peter Rathlev wrote:
> I'm too stupid to make this work. :-)
>
> What I'm trying is:
>
> - NPE-G1 running 12.4(25c) Ent. IPSec 3DES (c7200-jk9s-mz.124-25c.bin)
> - Configured as "standard" MPLS PE in our network
> - Loopback-interface to terminate GRE tunnel on "outside" VRF
> - Tunnel-interface in "inside" VRF
> - No other interfaces apart from the global MPLS enabled
> - (Using a SA-VAM2, but I assume this is irrelevant)
> - Has to use crypto map + GRE tunnel because of other end

We experience the same problem here on a 2821 with the exact same config 
(GRE protected by IPSec, VPN router is a PE).

The irritating thing is that, in the "stable" routing topology it works 
because the border router is directly adjacent to the VPN router and the 
packets arrive at the VPN router unlabelled. But if we failover to our 
2nd internet connection the packets arrive at the VPN router labelled 
and it fails :o(

A colleague of a colleague seems to think it's possible to make it work 
"with a different syntax" but I'm not sure what that means. The 
suggestion made was:

tunnel protection ipsec profile ...

...config format. Possibly this is the bit you're unable to use.

If you find out, I'd love to know.


More information about the cisco-nsp mailing list