[c-nsp] IPSec crypto map on MPLS enabled interface?
David Prall
dcp at dcptech.com
Wed Mar 10 12:44:03 EST 2010
You could do MPLSoGREoIPSec
--
http://dcp.dcptech.com
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Peter Rathlev
> Sent: Wednesday, March 10, 2010 12:07 PM
> To: Phil Mayers
> Cc: cisco-nsp
> Subject: Re: [c-nsp] IPSec crypto map on MPLS enabled interface?
>
> On Tue, 2010-03-09 at 13:35 +0100, Peter Rathlev wrote:
> > And the encrypted traffic leaves the box tagged too.
>
> I assumed a little too much here. :-)
>
> It turns out that the traffic leaves the box unencrypted unless it
> originated on the box itself. So ping inside the tunnel interface works
> fine, but traffic arriving from outside the box only gets GRE
> encapsulated, not IPSec. MPLS always comes on top.
>
> I ended up having to use a non-MPLS interface as the "outside"
> interface
> to make the box actually encrypt things.
>
> I thought I could pull this off on a 7200. They're so versatile. :-)
>
> --
> Peter
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list