[c-nsp] Encrypting GRE on IOS-XR ...
Bryan Holloway
bryan at shout.net
Tue Nov 26 19:44:36 EST 2024
Ok ... so looks like one needs a VSM card to do anything IPsec-ish on
the ASR9ks.
So that rules that out.
If anyone has any clever ideas, though, I'm all ears.
Apologies for the noise.
On 11/26/24 20:30, Bryan Holloway via cisco-nsp wrote:
> Follow-up:
>
> So supposedly one CAN run OSPF across an IPsec tunnel if you use non-
> broadcast mode, but I'm nervous about crypto ACLs and the potential
> ongoing maintenance required.
>
> Would still prefer a simpler IPsec-encrypted GRE tunnel solution ... :)
>
>
> On 11/26/24 19:34, Bryan Holloway via cisco-nsp wrote:
>> Use-case:
>>
>> Network with several inter-colo WAN links and decent redundancy, but
>> hey -- things break. Need to keep certain management (think VRF)
>> things working across severed portions of the network after enough
>> backhoes have had their way with us.
>>
>> Running mostly IOS-XR 6.5.3 everywhere.
>>
>> I'd like to build a couple of tunnels and run high-cost OSPF across
>> them for fail-over situations. Since OSPF generally doesn't work over
>> IPsec, I've been looking at IPsec-encrypted GRE tunnels, but I haven't
>> found any good examples (at least not using IOS-XR.) Plenty of ones
>> for IOS, but ...
>>
>> Curious if anyone in the community has made this work ...
>>
>> Or should I be looking in a different direction?
>>
>> Thank you in advance!
>>
>> - bryan
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list