[c-nsp] IPSec crypto map on MPLS enabled interface?
Peter Rathlev
peter at rathlev.dk
Mon Mar 8 12:33:21 EST 2010
On Mon, 2010-03-08 at 18:47 +0200, John Kougoulos wrote:
> On Mon, 8 Mar 2010, Peter Rathlev wrote:
> > crypto isakmp profile Crypto-Profile-TEST
> > vrf INSIDE-VRF
> > keyring Crypto-Keyring-TEST
> > match identity address 172.16.0.1 255.255.255.255 OUTSIDE-VRF
> > initiate mode aggressive
> > !
>
> not sure, but maybe you should put this profile in vrf OUTSIDE-VRF ?
That's a little embarrasing. I was certain that it was supposed to be
the inside VRF, cf.
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1054317
I had actually started backtracking, simplifying the configuration as
much as possible. I was down to one physical interface in the outside
VRF and one physical interface in the inside VRF, and it still didn't
work.
I the tried changing the ISAKMP profile VRF, et voila, it worked. :-)
I have reloaded the box to make sure it's not just good luck that it
works now. It seems to work fine after a reload, with MPLS on the core
facing interfaces.
In the mean time I found this article:
http://blog.ioshints.info/2009/09/encrypting-p-to-p-router-traffic.html
More information about the cisco-nsp
mailing list