[c-nsp] IPSec crypto map on MPLS enabled interface?
Peter Rathlev
peter at rathlev.dk
Thu Mar 11 11:14:23 EST 2010
On Thu, 2010-03-11 at 08:39 -0500, David Prall wrote:
> I've done this a couple times where the crypto interface was the vrf
> interface, and we decrypted/encrypted there and then put the traffic
> onto a core labeled interface without encryption.
This is basically what I ended up doing, and it works fine.
I'm a little puzzled by how the symtoms are though. The inside interface
takes traffic as IP-in-MPLS. The outside interfaces is supposed to send
traffic as IP-in-GRE-in-IPSec-in-MPLS. The unintuitive thing for me is
that it's the IPSec part that's missing, not the MPLS part.
I specifically tested if the router would MPLS tag the packets
correctly, and could see that it would. And I also tested the whole
stack (IP/GRE/IPSec/MPLS), but only with traffic originated by the
router itself. This worked fine. Unfortunately it seems to skip the
IPSec part if the traffic comes from somewhere else.
Since all this is actually a temporary work-around I'm not going to
throw a tantrum about it. OTOH it would've been beautiful if the router
could handle all this internally. That way I could have this router be a
standard part of our core, with two MPLS enabled interfaces and nothing
else.
Oh well. :-)
--
Peter
More information about the cisco-nsp
mailing list