[c-nsp] Encrypting GRE on IOS-XR ...

Saku Ytti saku at ytti.fi
Wed Nov 27 09:03:46 EST 2024 

I don't quite understand your use-case.

What utility does the tunnel provide to you? Do you have different IP
addresses from different upstreams?
Why is crypto needed for backup/redundancy, but not for in-line?
Why would the tunnels keep working, if in-line is not working?

In any case, I don't think ASR9k has linecards that do IPSEC on
hardware, like you said, you'd need a service card. Some other
platforms, like JNPR MX, would be able to do MACSEC and specific forms
of IPSEC on same linecard hardware.

On Tue, 26 Nov 2024 at 21:45, Bryan Holloway via cisco-nsp
<cisco-nsp at puck.nether.net> wrote:
>
> Ok ... so looks like one needs a VSM card to do anything IPsec-ish on
> the ASR9ks.
>
> So that rules that out.
>
> If anyone has any clever ideas, though, I'm all ears.
>
> Apologies for the noise.
>
>
> On 11/26/24 20:30, Bryan Holloway via cisco-nsp wrote:
> > Follow-up:
> >
> > So supposedly one CAN run OSPF across an IPsec tunnel if you use non-
> > broadcast mode, but I'm nervous about crypto ACLs and the potential
> > ongoing maintenance required.
> >
> > Would still prefer a simpler IPsec-encrypted GRE tunnel solution ... :)
> >
> >
> > On 11/26/24 19:34, Bryan Holloway via cisco-nsp wrote:
> >> Use-case:
> >>
> >> Network with several inter-colo WAN links and decent redundancy, but
> >> hey -- things break. Need to keep certain management (think VRF)
> >> things working across severed portions of the network after enough
> >> backhoes have had their way with us.
> >>
> >> Running mostly IOS-XR 6.5.3 everywhere.
> >>
> >> I'd like to build a couple of tunnels and run high-cost OSPF across
> >> them for fail-over situations. Since OSPF generally doesn't work over
> >> IPsec, I've been looking at IPsec-encrypted GRE tunnels, but I haven't
> >> found any good examples (at least not using IOS-XR.) Plenty of ones
> >> for IOS, but ...
> >>
> >> Curious if anyone in the community has made this work ...
> >>
> >> Or should I be looking in a different direction?
> >>
> >> Thank you in advance!
> >>
> >>          - bryan
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



-- 
  ++ytti

More information about the cisco-nsp mailing list