[c-nsp] IPSec crypto map on MPLS enabled interface?

Peter Rathlev peter at rathlev.dk
Sat Mar 13 06:45:00 EST 2010


On Sat, 2010-03-13 at 12:30 +0100, Gert Doering wrote:
> On Thu, Mar 11, 2010 at 06:53:46PM +0100, Peter Rathlev wrote:
> > Yes, and though I would like to use VTI the other end are not able to.
> > So that's a no go.
> 
> This surprises me somewhat.  The config variant you use to configure the 
> IPSEC stuff on your end should be completely transparent to the other
> side, as long as the resulting packets match:
> 
>  - IKE phase 1 + 2 proposals
>  - IKE phase 2 SA  (= with crypto maps: tied to ACL lines)
>  - protocol stacking (IP-in-GRE-in-IPSEC?)

Really? I thought it had to match, but of course how should the other
end know. I'll try the VTI way on this setup and report back how it
went.

-- 
Peter




More information about the cisco-nsp mailing list