[c-nsp] IPSec crypto map on MPLS enabled interface?

Leah Lynch (Contractor) leah.lynch at clearwire.com
Thu Mar 11 15:10:21 EST 2010


I believe this is because of the order of operations, once the MPLS
headers are added to the frame, its no longer seen as an IP packet,
because it is switched at L2. Could be wrong, but that is what I was
thinking last week when I commented on all the different encapsulation
types.

Leah

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: Thursday, March 11, 2010 8:55 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IPSec crypto map on MPLS enabled interface?

On 11/03/10 16:14, Peter Rathlev wrote:
> On Thu, 2010-03-11 at 08:39 -0500, David Prall wrote:
>> I've done this a couple times where the crypto interface was the vrf
>> interface, and we decrypted/encrypted there and then put the traffic
>> onto a core labeled interface without encryption.
>
> This is basically what I ended up doing, and it works fine.
>
> I'm a little puzzled by how the symtoms are though. The inside
interface
> takes traffic as IP-in-MPLS. The outside interfaces is supposed to
send
> traffic as IP-in-GRE-in-IPSec-in-MPLS. The unintuitive thing for me is
> that it's the IPSec part that's missing, not the MPLS part.
>
> I specifically tested if the router would MPLS tag the packets
> correctly, and could see that it would. And I also tested the whole
> stack (IP/GRE/IPSec/MPLS), but only with traffic originated by the
> router itself. This worked fine. Unfortunately it seems to skip the
> IPSec part if the traffic comes from somewhere else.

The shortcoming seems to be that the crypto map is translated into some 
kind of forwarding instruction internally based on the ACL; and the ACL 
never matches an MPLS packet, so the crypto is never applied.

This is conceptually annoying; at the very least, IOS ought print a 
warning message:

% Crypto maps do not match MPLS packets

...when doing so.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list