Luan,
To recap: applying an IPSEC crypto-map to the WAN physical interface
works, but applying IPSEC to Tunnel Protection breaks end-to-end vrf
connections. I have a feeling it is a combination of these two
statements from Cisco:
from
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml:
"There are two key differences between when you use a crypto-map and
when you use tunnel protection:
*The IPSec crypto-map is tied to the physical interface and is
checked as packets are forwarded out the physical interface. Note: The
GRE tunnel has already GRE encapsulated the packet by this point.
*Tunnel protection ties the encryption functionality to the GRE
tunnel and is checked after the packet is GRE encapsulated but before
the packet is handed to the physical interface."
and from
http://www.cisco-ri.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/ngwanearch.html#wp1000241:
" currently there are no mechanisms that allow for encryption of
labelled packets. "
So I'll stick with crypto-maps for now. I'm definitely looking into the
very interesting link you provided re: GET-VPN. Thanks again...
Christopher Hunt
ReachONE Internet, Inc.
(360)456-5640
http://www.reachone.com
-------- Original Message --------
Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread)
Date: Fri, 17 Oct 2008 16:27:51 -0700
From: Christopher Hunt <[EMAIL PROTECTED]>
To: Luan Nguyen <[EMAIL PROTECTED]>
CC: 'cisco-nsp' <cisco-nsp@puck.nether.net>
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
Luan,
Thanks for your excellent and detailed reply. I was able to get the
tunnels up and passing encrypted traffic (after adding the "tunnel mode
ipsec ipv4" command to the tunnel). LDP and OSPF came right up too.
The interesting bit is that I have no end-to-end vrf connectivity. In
other words:
CORE-DIA-1#sh ip ro vrf CustA
Routing Table: CustA
.....
Gateway of last resort is not set
10.0.0.0/32 is subnetted, 2 subnets
B 10.1.1.1 [200/0] via 192.168.255.252, 00:23:06
C 10.0.0.1 is directly connected, Loopback100
CORE-DIA-1#ping vrf CustA 10.1.1.1 source 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
.....
Success rate is 0 percent (0/5)
CORE-DIA-1#sho ip ro 192.168.255.252
Routing entry for 192.168.252/32
Known via "ospf 100", distance 110, metric 11112, type intra area
Last update from 10.0.0.2 on Tunnel0, 00:02:34 ago
Routing Descriptor Blocks:
* 10.0.0.2, from 192.168.255.252, 00:02:34 ago, via Tunnel0
Route metric is 11112, traffic share count is 1
It worked until i added the "tunnel protection ipsec profile foo"
bit. I can still ping loopbacks etc. in the Default-IP-Routing-Table. I
had it working in an alternate config, with a crypto map applied to the
physical interface that is the tunnel-source. Any idea why this might be?
Christopher Hunt
ReachONE Internet, Inc.
(360)456-5640
http://www.reachone.com
Luan Nguyen wrote:
You could encrypt the GRE tunnel. Everything traverse the tunnel will get
encrypted.
On CORE-DIA-1
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key cisco address 172.16.0.98
crypto isakmp keepalive 10 4 periodic
!
!
crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile foo
set transform-set TEST
set pfs group5
!
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
ip mtu 1420
ip tcp adjust-mss 1436
mpls ip
mpls mtu 1508
keepalive 1 3
tunnel source FastEthernet0/0
tunnel destination 172.16.0.98
tunnel protection ipsec profile foo
Just the reverse on the other side.
You, and the original poster, could do IPSEC encryption between CEs of the
MPLS VPN by using GET-VPN (if don't want to do that encrypted L2TPv3
suggestion :))
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7
180/product_data_sheet0900aecd80582067.html.
The CE-to-CE routing remains the same, with added security.
----------------------------------------------------------------------------
-------------------------------------------------------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net
----------------------------------------------------------------------------
-------------------------------------------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christopher Hunt
Sent: Sunday, October 05, 2008 3:01 PM
To: cisco-nsp
Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread)
For simplicity's sake let's say that i have 2 7206VXRs running
advip-12.4(9)T2. They're in separate cities, each has a direct Internet feed
plus a L2 feed between them. Each one is a PE, and running L3VPNs for
customers. I use OSPF as an IGP. Everything's working great, but I want to
build VPN failover in case the L2 feed between them goes down.
Since the backup is a L3 service, MPLSoGRE seems the best option for me.
At the same time, I want to encrypt ***at least the customer vrf
traffic*** when it uses the L3 MPLSoGRE path. I'm no wiz with IPSec
unfortunately an am struggling to understand the process.
I've got the GRE Tunnels up and failing over but can't seem to understand
how to encrypt the customer data. See attached configs.
Anyone have any pointers? See
http://markmail.org/message/lob467v2oxc6my5x for original thread
onward through the fog,
Christopher Hunt
-------- Original Message --------
Subject: [c-nsp] MPLS and IPSEC co-workingLink to this message
From: Oliver Boehmer (oboehmer) ([EMAIL PROTECTED])
Date: 08/16/2007 09:31:25 AM
List: net.nether.puck.cisco-nsp
>Andris Zarins <> wrote on Thursday, August 16, 2007 1:44 PM:
>
>Hi,
>
>Network setup is pretty trivial - three routers running MPLS (LDP
>full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is
asking to secure that infrastructure by running IPSEC (3DES). As far >as I
know, I can not run LDP over Tunnel interfaces, and crypto-maps >will not
help also. Concept of running IPSEC between CPEs doesn't >make sense, as
there are no CPEs :( > >Question is - is VRF-Lite plus back-to-back
connectivity, like option >A for inter AS MPLS, the only viable option I
have, or Im missing >something and there are other, more scalable ways to
do it?
well, you can run MPLSoGRE at least on SW-based platforms (like the 7200),
haven't checked for 6500/7600 or GSR.. You could also use BGP-L3VPN over
L2TPv3 and then encrypt the L2TPv3 traffic using crypto-maps..
Not a complete solution, I know..
oli
--
Christopher Hunt
ReachONE Internet, Inc.
(360)456-5640
http://www.reachone.com
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/