[c-nsp] IPSec crypto map on MPLS enabled interface?
Peter Rathlev
peter at rathlev.dk
Thu Mar 11 12:53:46 EST 2010
Hi Rakesh,
On Thu, 2010-03-11 at 10:39 -0600, Rakesh Hegde wrote:
> VTI tunnel protection (with or without GRE) should work as they don't
> use crypto map and the IPSEC tunnel is built beforehand.
> The encrypted packets will be label switched just like any other IP
> packet.
Yes, and though I would like to use VTI the other end are not able to.
So that's a no go.
> Are you sure you are encrypting the traffic when pinging the other end
> tunnel interface ip ? Do you actually see "sh cry ipsec sa" encrypt
> decrypt count increase when you ping ?
Yes, traffic originating from the router gets encrypted. Apart from
seeing this traffic in "pkts encaps" and "pkts decaps" I made double
sure by having a firewall in front of the router that only allowed ESP
and not GRE. This was also how I could see the GRE-only traffic in the
first place.
--
Peter
More information about the cisco-nsp
mailing list