[c-nsp] IPSec crypto map on MPLS enabled interface?
Leah Lynch (Contractor)
leah.lynch at clearwire.com
Mon Mar 8 13:34:45 EST 2010
Wow! That's a lot of encapsulation for each packet (Eth, GRE, MPLS,
IPSec)! I would suggest peeling back the layers to find where the
problem originates. Id pull each upper-layer encapsulation off entirely
and make sure the MPLS with GRE is working first. Then, if that works,
put the IPSec back on, and at least then you know where to focus. I am
not sure this configuration would work, depending on when the frames are
encapsulated, they may not be matching your access list, due they fact
that they are no longer IP/GRE frames anymore, but MPLS/IP/GRE.
Leah
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: Monday, March 08, 2010 7:27 AM
To: cisco-nsp
Subject: [c-nsp] IPSec crypto map on MPLS enabled interface?
I'm too stupid to make this work. :-)
What I'm trying is:
- NPE-G1 running 12.4(25c) Ent. IPSec 3DES (c7200-jk9s-mz.124-25c.bin)
- Configured as "standard" MPLS PE in our network
- Loopback-interface to terminate GRE tunnel on "outside" VRF
- Tunnel-interface in "inside" VRF
- No other interfaces apart from the global MPLS enabled
- (Using a SA-VAM2, but I assume this is irrelevant)
- Has to use crypto map + GRE tunnel because of other end
The GRE part works fine, but I can't make it encrypt the traffic. Debug
crypto gives no output at all. When trying to send traffic through the
tunnel interface it ends up sending GRE traffic, i.e. not encrypting it.
I tried adding the crypto map both to the loopback interface in the
outside VRF and to the MPLS enabled interfaces (in global).
What am I doing wrong? Is it because MPLS and IPSec just doesn't mix?
The hopefully relevant part of the configuration is:
ip vrf OUTSIDE-VRF
description Outside VRF
rd 10.0.0.1:3123
route-target export 65432:3123
route-target import 65432:3123
!
ip vrf INSIDE-VRF
description Inside VRF
rd 10.0.0.1:3320
route-target export 65432:3320
route-target import 65432:3320
!
ip access-list extended Crypto-map-ACL-TEST
permit gre host 10.10.10.1 host 172.16.0.1
!
crypto keyring Crypto-Keyring-TEST vrf OUTSIDE-VRF
pre-shared-key address 172.16.0.1 key jkB8UThDDQjHSMJdFfPM
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
lifetime 43200
!
crypto isakmp profile Crypto-Profile-TEST
vrf INSIDE-VRF
keyring Crypto-Keyring-TEST
match identity address 172.16.0.1 255.255.255.255 OUTSIDE-VRF
initiate mode aggressive
!
crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac
!
crypto map Crypto-Map-TEST local-address Loopback3123
crypto map Crypto-Map-TEST 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set AES256-MD5
set isakmp-profile Crypto-Profile-TEST
match address Crypto-map-ACL-TEST
!
interface Loopback0
description Core loopback
ip address 10.0.0.1 255.255.255.255
!
interface Loopback3123
description Interface in outside VRF
ip vrf forwarding OUTSIDE-VRF
ip address 10.10.10.1 255.255.255.255
!
interface Tunnel3320
description GRE tunnel
ip vrf forwarding INSIDE-VRF
ip address 192.168.0.1 255.255.255.252
tunnel source Loopback3123
tunnel destination 172.16.0.1
tunnel vrf OUTSIDE-VRF
!
interface GigabitEthernet0/1
description MPLS core-facing interface
mtu 9216
ip address 10.0.5.1 255.255.255.252
mpls ip
crypto map Crypto-Map-TEST
!
interface GigabitEthernet0/2
description MPLS core-facing interface
mtu 9216
ip address 10.0.5.5 255.255.255.252
mpls ip
crypto map Crypto-Map-TEST
!
--
Peter
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list