[c-nsp] IPSec crypto map on MPLS enabled interface?
Phil Mayers
p.mayers at imperial.ac.uk
Thu Mar 11 11:55:07 EST 2010
On 11/03/10 16:14, Peter Rathlev wrote:
> On Thu, 2010-03-11 at 08:39 -0500, David Prall wrote:
>> I've done this a couple times where the crypto interface was the vrf
>> interface, and we decrypted/encrypted there and then put the traffic
>> onto a core labeled interface without encryption.
>
> This is basically what I ended up doing, and it works fine.
>
> I'm a little puzzled by how the symtoms are though. The inside interface
> takes traffic as IP-in-MPLS. The outside interfaces is supposed to send
> traffic as IP-in-GRE-in-IPSec-in-MPLS. The unintuitive thing for me is
> that it's the IPSec part that's missing, not the MPLS part.
>
> I specifically tested if the router would MPLS tag the packets
> correctly, and could see that it would. And I also tested the whole
> stack (IP/GRE/IPSec/MPLS), but only with traffic originated by the
> router itself. This worked fine. Unfortunately it seems to skip the
> IPSec part if the traffic comes from somewhere else.
The shortcoming seems to be that the crypto map is translated into some
kind of forwarding instruction internally based on the ACL; and the ACL
never matches an MPLS packet, so the crypto is never applied.
This is conceptually annoying; at the very least, IOS ought print a
warning message:
% Crypto maps do not match MPLS packets
...when doing so.
More information about the cisco-nsp
mailing list