[c-nsp] IPSec crypto map on MPLS enabled interface?
Rakesh Hegde
rakeshh at gmail.com
Mon Mar 15 20:47:27 EDT 2010
Hi Peter,
You can use VTI GRE mode on your side and crypto map on the remote end
device . The remote router with crypto map needs to use the same source and
destination IP for GRE and the VPN tunnel.
-Rakesh
On Thu, Mar 11, 2010 at 11:53 AM, Peter Rathlev <peter at rathlev.dk> wrote:
> Hi Rakesh,
>
> On Thu, 2010-03-11 at 10:39 -0600, Rakesh Hegde wrote:
> > VTI tunnel protection (with or without GRE) should work as they don't
> > use crypto map and the IPSEC tunnel is built beforehand.
> > The encrypted packets will be label switched just like any other IP
> > packet.
>
> Yes, and though I would like to use VTI the other end are not able to.
> So that's a no go.
>
> > Are you sure you are encrypting the traffic when pinging the other end
> > tunnel interface ip ? Do you actually see "sh cry ipsec sa" encrypt
> > decrypt count increase when you ping ?
>
> Yes, traffic originating from the router gets encrypted. Apart from
> seeing this traffic in "pkts encaps" and "pkts decaps" I made double
> sure by having a firewall in front of the router that only allowed ESP
> and not GRE. This was also how I could see the GRE-only traffic in the
> first place.
>
> --
> Peter
>
>
>
>
>
>
More information about the cisco-nsp
mailing list