[c-nsp] IPSec crypto map on MPLS enabled interface?
John Kougoulos
koug at intracom.gr
Thu Mar 11 12:50:41 EST 2010
On Thu, 11 Mar 2010, Peter Rathlev wrote:
> On Thu, 2010-03-11 at 08:39 -0500, David Prall wrote:
> I specifically tested if the router would MPLS tag the packets
> correctly, and could see that it would. And I also tested the whole
> stack (IP/GRE/IPSec/MPLS), but only with traffic originated by the
> router itself. This worked fine. Unfortunately it seems to skip the
> IPSec part if the traffic comes from somewhere else.
So it seems that when the packet is process switched (because it was
originated on the router) everything works fine. I wonder what happens if
you use eg:
a. "no ip route-cache" on the incoming interface
b. if you use eg VTI instead of crypto maps?
Regards,
John
More information about the cisco-nsp
mailing list