[c-nsp] IPSec crypto map on MPLS enabled interface?

Ramcharan, Vijay A vijay.ramcharan at verizonbusiness.com
Mon Mar 8 16:54:23 EST 2010


I tested this scenario some time ago. As I recall, it is possible to use
"tunnel protection" on one side of the tunnel and the usual "crypto map"
statements on the other end for GRE over IPSec. 

If the issue is the application of the "crypto map" statements on the PE
end, try setting up a lab scenario with one end as the PE using "tunnel
protection". I do recall the resulting dynamic crypto map with "tunnel
protection" is pretty much the same as you would have if you configured
a static crypto ACL with "permit gre" entries. You won't need to apply a
crypto map to any interfaces on the PE end. 

Vijay Ramcharan 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: Monday, March 08, 2010 11:18 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IPSec crypto map on MPLS enabled interface?

On 08/03/10 15:27, Peter Rathlev wrote:
> I'm too stupid to make this work. :-)
>
> What I'm trying is:
>
> - NPE-G1 running 12.4(25c) Ent. IPSec 3DES (c7200-jk9s-mz.124-25c.bin)
> - Configured as "standard" MPLS PE in our network
> - Loopback-interface to terminate GRE tunnel on "outside" VRF
> - Tunnel-interface in "inside" VRF
> - No other interfaces apart from the global MPLS enabled
> - (Using a SA-VAM2, but I assume this is irrelevant)
> - Has to use crypto map + GRE tunnel because of other end

We experience the same problem here on a 2821 with the exact same config

(GRE protected by IPSec, VPN router is a PE).

The irritating thing is that, in the "stable" routing topology it works 
because the border router is directly adjacent to the VPN router and the

packets arrive at the VPN router unlabelled. But if we failover to our 
2nd internet connection the packets arrive at the VPN router labelled 
and it fails :o(

A colleague of a colleague seems to think it's possible to make it work 
"with a different syntax" but I'm not sure what that means. The 
suggestion made was:

tunnel protection ipsec profile ...

...config format. Possibly this is the bit you're unable to use.

If you find out, I'd love to know.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list