[c-nsp] IPSec crypto map on MPLS enabled interface?
Peter Rathlev
peter at rathlev.dk
Sat Mar 13 06:45:00 EST 2010
On Sat, 2010-03-13 at 12:30 +0100, Gert Doering wrote:
> On Thu, Mar 11, 2010 at 06:53:46PM +0100, Peter Rathlev wrote:
> > Yes, and though I would like to use VTI the other end are not able to.
> > So that's a no go.
>
> This surprises me somewhat. The config variant you use to configure the
> IPSEC stuff on your end should be completely transparent to the other
> side, as long as the resulting packets match:
>
> - IKE phase 1 + 2 proposals
> - IKE phase 2 SA (= with crypto maps: tied to ACL lines)
> - protocol stacking (IP-in-GRE-in-IPSEC?)
Really? I thought it had to match, but of course how should the other
end know. I'll try the VTI way on this setup and report back how it
went.
--
Peter
More information about the cisco-nsp
mailing list