[c-nsp] IPSec crypto map on MPLS enabled interface?
Peter Rathlev
peter at rathlev.dk
Thu Mar 18 07:12:46 EDT 2010
On Mon, 2010-03-15 at 19:47 -0500, Rakesh Hegde wrote:
> You can use VTI GRE mode on your side and crypto map on the remote end
> device . The remote router with crypto map needs to use the same
> source and destination IP for GRE and the VPN tunnel.
I got around to testing this, and I can't make it work. It seems VTI
doesn't use GRE, and I can't figure out how to make it. Since the other
end (not under our control) uses IP-in-GRE-in-IPSec I need the GRE part.
Furthermore, the setup has both the "inner" (tunnel) and "outer" (IPSec
source) in VRFs. When I try to set a VRF in the ISAKMP profile, I get
the following error in defining the IPSec profile:
Router(config-if)#tunnel protection ipsec profile TEST
Isakmp profile configured in Profile TEST ipsec
profile has VRF set in it. Please remove it.
I can remove the VRF from the ISAKMP profile, add the ISAKMP profile to
the IPSec profile and the re-add the VRF to the ISAKMP-profile; this
doesn't give any CLI warnings, but of course it doesn't work either.
Would anyone happen to have a working config for VTI tunnelling using
GRE and working on MPLS enabled interfaces on a 7200?
(The examples in the "IPsec Virtual Tunnel Interface" part of the Cisco
IOS Security Configuration Guide for 12.4M don't include inner+outer in
VRFs.)
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_ps6350_TSD_Products_Configuration_Guide_Chapter.html
--
Peter
More information about the cisco-nsp
mailing list