[c-nsp] IPSec crypto map on MPLS enabled interface?

David Prall dcp at dcptech.com
Wed Mar 10 12:44:03 EST 2010


You could do MPLSoGREoIPSec

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Peter Rathlev
> Sent: Wednesday, March 10, 2010 12:07 PM
> To: Phil Mayers
> Cc: cisco-nsp
> Subject: Re: [c-nsp] IPSec crypto map on MPLS enabled interface?
> 
> On Tue, 2010-03-09 at 13:35 +0100, Peter Rathlev wrote:
> > And the encrypted traffic leaves the box tagged too.
> 
> I assumed a little too much here. :-)
> 
> It turns out that the traffic leaves the box unencrypted unless it
> originated on the box itself. So ping inside the tunnel interface works
> fine, but traffic arriving from outside the box only gets GRE
> encapsulated, not IPSec. MPLS always comes on top.
> 
> I ended up having to use a non-MPLS interface as the "outside"
> interface
> to make the box actually encrypt things.
> 
> I thought I could pull this off on a 7200. They're so versatile. :-)
> 
> --
> Peter
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list