[c-nsp] IPSec crypto map on MPLS enabled interface?
Joerg Mayer
jmayer at loplof.de
Sat Mar 13 17:13:55 EST 2010
On Sat, Mar 13, 2010 at 12:30:57PM +0100, Gert Doering wrote:
> On Thu, Mar 11, 2010 at 06:53:46PM +0100, Peter Rathlev wrote:
> > Yes, and though I would like to use VTI the other end are not able to.
> > So that's a no go.
>
> This surprises me somewhat. The config variant you use to configure the
> IPSEC stuff on your end should be completely transparent to the other
> side, as long as the resulting packets match:
>
> - IKE phase 1 + 2 proposals
> - IKE phase 2 SA (= with crypto maps: tied to ACL lines)
> - protocol stacking (IP-in-GRE-in-IPSEC?)
IIRC, VTI isn't GRE but IPinIP (Proto=4). What I'm rather sure about is,
that it isn't GRE.
Ciao
Joerg
--
Joerg Mayer <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
More information about the cisco-nsp
mailing list