cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1954
Views
0
Helpful
3
Replies

VPLS over IPSEC

I have fully functioning Layer 2 MPLS running over my network on Cisco ASR 920 routers. One of the links between 2 routers is provided via a 3rd party service provider, though, which requires us to use encryption on this link to protect our data.

 

I configured a simple site-to-site VPN between these 2 routers by configuring a crypto-map on the interface between them with the crypto ACL matching interesting traffic between the loopbacks (the loopbacks which are used to create the Pseudowires).

 

The Crypto SA and IPSEC are up, OSPF is up, LDP is up, looks like everything is working, but if I do a "show crypto IPsec sa", the number of matches for encrypted/decrypted packets is too low, considering the Layer 2 traffic I am pushing through this link.

 

It looks like only LDP packets are being encrypted, not the actual encapsulated MPLS packets.

 

Am I doing something wrong, is this even supposed to work?

3 REPLIES 3
Philip D'Ath
Advisor

I don't know the answer.

 

Personally I would use GRE over IPSec, and then run the VPLS over that.  More specifically I would use a VTI interface.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-Archive/IPsec_Virtual_Tunnel_Interface.html

Thanks for your help, I tried running VPLS over plain GRE (without encryption), but cannot get traffic to pass through, somehow.

 

When I turn off MPLS on the physical interface, instead bring up a GRE tunnel and configure MPLS on the GRE tunnel, I am unable to ping across the switches in the same Vlan.

 

1. Can ping Tunnel source to destination

2. Can ping between Tunnel IPs 

3. OSPF is up between routers, advertising the Loopbacks (Via the Tunnel)

4. LDP is up between both routers

 

Would trying with the VTI tunnel be any different (I see tunnel mode is IPsec ipv4 and encryption is enabled) if it doesn't work with Plain GRE?

 

Can it be a limitation with the ASR 920 series?

 

 

 

 

1. My original plan of matching loopback IPs in the crypto ACL would obviously not work, because the interface sees MPLS labels, not IP headers

2. VTI tunnels don't seem to be supported on ASR 920s, traffic isn't forwarded over GRE tunnels.

 

1.PNG