[c-nsp] IPSec crypto map on MPLS enabled interface?

Peter Rathlev peter at rathlev.dk
Thu Mar 11 12:53:46 EST 2010


Hi Rakesh,

On Thu, 2010-03-11 at 10:39 -0600, Rakesh Hegde wrote:
> VTI  tunnel protection (with or without GRE) should work as they don't
> use crypto map and the IPSEC tunnel is built beforehand.
> The encrypted packets will be label switched just like any other IP
> packet.

Yes, and though I would like to use VTI the other end are not able to.
So that's a no go.
 
> Are you sure you are encrypting the traffic when pinging the other end
> tunnel interface ip ? Do you actually see "sh cry ipsec sa" encrypt
> decrypt count increase when you ping ?

Yes, traffic originating from the router gets encrypted. Apart from
seeing this traffic in "pkts encaps" and "pkts decaps" I made double
sure by having a firewall in front of the router that only allowed ESP
and not GRE. This was also how I could see the GRE-only traffic in the
first place.

-- 
Peter







More information about the cisco-nsp mailing list