[c-nsp] IPSec crypto map on MPLS enabled interface?

David Prall dcp at dcptech.com
Thu Mar 11 08:39:53 EST 2010


LDP and IPSec aren't friendly together on the same interface. A Front-Side
VRF (fVRF) is typically used in a vrf-lite/multi-vrf ce situation without
LDP enabled. You could try tunnel protection instead of a crypto-map. The
order of operations is a key issue here, IPSec has to happen prior to label
imposition. 

If it is only a CE - PE connection then no problems, but since it is the PE
doing the encryption as well. 

I've done this a couple times where the crypto interface was the vrf
interface, and we decrypted/encrypted there and then put the traffic onto a
core labeled interface without encryption.

David

--
http://dcp.dcptech.com


> -----Original Message-----
> From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
> Sent: Thursday, March 11, 2010 4:48 AM
> To: David Prall
> Cc: 'Peter Rathlev'; 'cisco-nsp'
> Subject: Re: [c-nsp] IPSec crypto map on MPLS enabled interface?
> 
> On 03/10/2010 05:44 PM, David Prall wrote:
> > You could do MPLSoGREoIPSec
> 
> Maybe, if you control both the design and feature set of both ends.
> 
> But still, it seems pretty clear this is a bug or feature limitation to
> me. IP/IPSEC/GRE packets are arriving at/leaving the router. The next
> hop adjacency happens to be MPLS. That should not matter.



More information about the cisco-nsp mailing list