[c-nsp] IPSec crypto map on MPLS enabled interface?

Leah Lynch (Contractor) leah.lynch at clearwire.com
Mon Mar 8 13:34:45 EST 2010


Wow! That's a lot of encapsulation for each packet (Eth, GRE, MPLS,
IPSec)! I would suggest peeling back the layers to find where the
problem originates. Id pull each upper-layer encapsulation off entirely
and make sure the MPLS with GRE is working first. Then, if that works,
put the IPSec back on, and at least then you know where to focus. I am
not sure this configuration would work, depending on when the frames are
encapsulated, they may not be matching your access list, due they fact
that they are no longer IP/GRE frames anymore, but MPLS/IP/GRE.

Leah

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: Monday, March 08, 2010 7:27 AM
To: cisco-nsp
Subject: [c-nsp] IPSec crypto map on MPLS enabled interface?

I'm too stupid to make this work. :-)

What I'm trying is:

- NPE-G1 running 12.4(25c) Ent. IPSec 3DES (c7200-jk9s-mz.124-25c.bin)
- Configured as "standard" MPLS PE in our network
- Loopback-interface to terminate GRE tunnel on "outside" VRF
- Tunnel-interface in "inside" VRF
- No other interfaces apart from the global MPLS enabled
- (Using a SA-VAM2, but I assume this is irrelevant)
- Has to use crypto map + GRE tunnel because of other end

The GRE part works fine, but I can't make it encrypt the traffic. Debug
crypto gives no output at all. When trying to send traffic through the
tunnel interface it ends up sending GRE traffic, i.e. not encrypting it.

I tried adding the crypto map both to the loopback interface in the
outside VRF and to the MPLS enabled interfaces (in global).

What am I doing wrong? Is it because MPLS and IPSec just doesn't mix?

The hopefully relevant part of the configuration is:

ip vrf OUTSIDE-VRF
 description Outside VRF
 rd 10.0.0.1:3123
 route-target export 65432:3123
 route-target import 65432:3123
!
ip vrf INSIDE-VRF
 description Inside VRF
 rd 10.0.0.1:3320
 route-target export 65432:3320
 route-target import 65432:3320
!
ip access-list extended Crypto-map-ACL-TEST
 permit gre host 10.10.10.1 host 172.16.0.1
!
crypto keyring Crypto-Keyring-TEST vrf OUTSIDE-VRF
 pre-shared-key address 172.16.0.1 key jkB8UThDDQjHSMJdFfPM
!
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 lifetime 43200
!
crypto isakmp profile Crypto-Profile-TEST
 vrf INSIDE-VRF
 keyring Crypto-Keyring-TEST
 match identity address 172.16.0.1 255.255.255.255 OUTSIDE-VRF
 initiate mode aggressive
!
crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac 
!
crypto map Crypto-Map-TEST local-address Loopback3123
crypto map Crypto-Map-TEST 10 ipsec-isakmp 
 set peer 172.16.0.1
 set transform-set AES256-MD5 
 set isakmp-profile Crypto-Profile-TEST
 match address Crypto-map-ACL-TEST
!
interface Loopback0
 description Core loopback
 ip address 10.0.0.1 255.255.255.255
!
interface Loopback3123
 description Interface in outside VRF
 ip vrf forwarding OUTSIDE-VRF
 ip address 10.10.10.1 255.255.255.255
!         
interface Tunnel3320
 description GRE tunnel
 ip vrf forwarding INSIDE-VRF
 ip address 192.168.0.1 255.255.255.252
 tunnel source Loopback3123
 tunnel destination 172.16.0.1
 tunnel vrf OUTSIDE-VRF
!         
interface GigabitEthernet0/1
 description MPLS core-facing interface
 mtu 9216 
 ip address 10.0.5.1 255.255.255.252
 mpls ip  
 crypto map Crypto-Map-TEST
!         
interface GigabitEthernet0/2
 description MPLS core-facing interface
 mtu 9216 
 ip address 10.0.5.5 255.255.255.252
 mpls ip
 crypto map Crypto-Map-TEST
!


-- 
Peter


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list