[c-nsp] IPSec crypto map on MPLS enabled interface?
Rakesh Hegde
rakeshh at gmail.com
Thu Mar 11 12:22:46 EST 2010
forgot to hit reply all..
On Thu, Mar 11, 2010 at 10:39 AM, Rakesh Hegde <rakeshh at gmail.com> wrote:
> Since you are using crypto maps, the unencrypted (GRE) IP traffic has to
> hit the physical interface that the cryprto map is applied to get
> encrypted. If the interface is MPLS enabled the frontdoor VRF CEF table does
> label imposition before sending the packets to the outside interface.You
> will be able to build the IPSEC SAs but cant encrypt traffic because in the
> acl you have specified IP-GRE as the interesting traffic, not MPLS. .
>
> VTI tunnel protection (with or without GRE) should work as they don't
> use crypto map and the IPSEC tunnel is built beforehand.
> The encrypted packets will be label switched just like any other IP packet.
>
> Are you sure you are encrypting the traffic when pinging the other end
> tunnel interface ip ? Do you actually see "sh cry ipsec sa" encrypt decrypt
> count increase when you ping ?
>
> -Rakesh
>
>
> On Wed, Mar 10, 2010 at 11:06 AM, Peter Rathlev <peter at rathlev.dk> wrote:
>
>> On Tue, 2010-03-09 at 13:35 +0100, Peter Rathlev wrote:
>> > And the encrypted traffic leaves the box tagged too.
>>
>> I assumed a little too much here. :-)
>>
>> It turns out that the traffic leaves the box unencrypted unless it
>> originated on the box itself. So ping inside the tunnel interface works
>> fine, but traffic arriving from outside the box only gets GRE
>> encapsulated, not IPSec. MPLS always comes on top.
>>
>> I ended up having to use a non-MPLS interface as the "outside" interface
>> to make the box actually encrypt things.
>>
>> I thought I could pull this off on a 7200. They're so versatile. :-)
>>
>> --
>> Peter
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
> --
> Rakesh
> http://blog.ippacket.info
>
>
--
Rakesh
http://blog.ippacket.info
More information about the cisco-nsp
mailing list