[c-nsp] IPSec crypto map on MPLS enabled interface?
Tim Devries
Tim.Devries at flexITy.ca
Tue Mar 9 12:23:53 EST 2010
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: March-09-10 7:36 AM
To: Phil Mayers
Cc: cisco-nsp
Subject: Re: [c-nsp] IPSec crypto map on MPLS enabled interface?
On Tue, 2010-03-09 at 10:49 +0000, Phil Mayers wrote:
> > I the tried changing the ISAKMP profile VRF, et voila, it worked.
:-)
> >
> > I have reloaded the box to make sure it's not just good luck that it
> > works now. It seems to work fine after a reload, with MPLS on the
core
> > facing interfaces.
>
>> Interesting. Are the packets arriving at the box labelled?
>Yes, though just with the VPN label because of penultimate hop popping.
>And the encrypted traffic leaves the box tagged too.
Saw the same thing on a 7600 w/ vpn module. Due to penultimate hop
popping the packets were unlabled and because isis & mpls were
configured on the tunnel interface traffic wouldn't egress properly
without explicit null on the decapsulating node. Also found this
configuration works with SRE code.
Tim
More information about the cisco-nsp
mailing list