[c-nsp] IPSec crypto map on MPLS enabled interface?

Peter Rathlev peter at rathlev.dk
Wed Mar 10 12:06:36 EST 2010


On Tue, 2010-03-09 at 13:35 +0100, Peter Rathlev wrote:
> And the encrypted traffic leaves the box tagged too.

I assumed a little too much here. :-)

It turns out that the traffic leaves the box unencrypted unless it
originated on the box itself. So ping inside the tunnel interface works
fine, but traffic arriving from outside the box only gets GRE
encapsulated, not IPSec. MPLS always comes on top.

I ended up having to use a non-MPLS interface as the "outside" interface
to make the box actually encrypt things.

I thought I could pull this off on a 7200. They're so versatile. :-)

-- 
Peter





More information about the cisco-nsp mailing list