[c-nsp] IPSEC Remote access to MPLS VPN

Ge Moua moua0100 at umn.edu
Wed Feb 15 04:21:02 EST 2012 

+ hw_platforms
     * 7206 vxr / npe-g1 / vam2+
     * 18xx ISR / 28xx ISR / 28xx ISR2
+ sw
     * 12.4 (x) T
     * 15.x (x) T

The only significant problem we ran into was for the use case of RRI 
there was a bug that didn't populate the next-hop correctly and this had 
to be manually specified; hopefully cisco has fixed this by now:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg41606 


Give me some time to scrub the configs and I'll send them off-line to you.

--
Regards,
Ge Moua

University of Minnesota Alumnus
Email: moua0100 at umn.edu
--


On 2/15/12 3:07 AM, ar wrote:
> Hi Ge.
>
> Thanks for your response.
> What platform did you use? 7200 also?
> Can you share your template?
> I'll try the following:
>     -site to site
>     - remote access using vpn client software (Cisco/microsoft)
>     - SSL VPN if possible
>
> ------------------------------------------------------------------------
> *From:* Ge Moua <moua0100 at gmail.com>
> *To:* ar_djp at yahoo.com
> *Sent:* Wednesday, February 15, 2012 12:52 AM
> *Subject:* Re: [c-nsp] IPSEC Remote access to MPLS VPN
>
> We did all of the requirements you mentioned at the Univ of Minn.
>
> As you mentioned, the documentation is out there but not nicely in one 
> area of Cisco CCO land.
>
> You're looking down the right path with vrf-aware IPSec.  We 
> experimented with both flavors:
> * full blown mpls/bgp/vrf (6VPE / 4VPE)
> * vrf-lite
>
> In the end we thought doing the vrf-lite option then mapping these to 
> 6VPE / 4VPE mpls-bgp provided the best options for functionality & 
> config flexibility:
> * well defined front-door vrf to inside-vrf mapping (native ip)
> * native ip termination for front-door vrf (vs. 6vpe / 4vpe will be 
> ldp/mpls at front-door vrf & limited to default table unless you start 
> dealing with complexity of route-leaking RD/RT; violated KISS in my 
> opinion).
>
> Contact me off-list and I'll share config exemplars for what you are 
> looking for.
>
> --
> Regards,
> Ge Moua
>
> University of Minnesota Alumnus
> Email: moua0100 at umn.edu <mailto:moua0100 at umn.edu>
> --
>
>
> On 2/15/12 2:09 AM, ar wrote:
> > Hi Guys.
> >
> > I would like to setup a remote access IPSEC/SSL VPN then maps to 
> MPLS VPN/VRFs.
> > I'm thinking of using 7206VXR as the concentrator/PE for this.
> > Remote clients will use cisco/microsoft vpn clients.
> > Site-to-site vpn will be supported too.
> >
> >
> > Anyone has good documentation for configuration?
> > I'm reading vrf-aware ipsec but it seems to lack more configurations 
> options.
> >
> > Any comments?
> >
> > thanks
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net 
> <mailto:cisco-nsp at puck.nether.net>
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list