Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
0
Helpful
4
Replies

routing over VPN between 2 sites

Go to solution
carl_townshend
Spotlight
Spotlight

‎07-31-2012 02:14 AM - edited ‎03-04-2019 05:07 PM

Hi

I have 2 sites, they are connected via an MPLS service.

I have a statement on both of them that creates a vpn tunnel using cryptomaps, the peer address is the providers MPLS address of the router for each site.

my question is, when I do the match address statement, then put the traffic I want to be encrypted in my access list, does this traffic automatically get routed to the peer address I set using the set peer command?

or do I also need an IP route for this?

please help

Carl

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-31-2012 04:46 AM

Hello Carl,

you may need static routes in order to have traffic to be encrypted to be sent out the interface on which you have applied the crypto map.

Traffic before is encrypted has to be routed from the internal interfaces to the MPLS facing interface.

So the destination IP subnets of the remote end need routing entries in IP routing table with outgoing interface = MPLS interface to work correctly.

The MPLS service provider has to provide IP routing services between the IPSec peer addresses both local and remote.

In some cases a simple default static route pointing to the MPLS interface can be enough and can be already in place.

Hope to help

Giuseppe

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-31-2012 04:46 AM

Hello Carl,

you may need static routes in order to have traffic to be encrypted to be sent out the interface on which you have applied the crypto map.

Traffic before is encrypted has to be routed from the internal interfaces to the MPLS facing interface.

So the destination IP subnets of the remote end need routing entries in IP routing table with outgoing interface = MPLS interface to work correctly.

The MPLS service provider has to provide IP routing services between the IPSec peer addresses both local and remote.

In some cases a simple default static route pointing to the MPLS interface can be enough and can be already in place.

Hope to help

Giuseppe

0 Helpful

Go to solution
carl_townshend
Spotlight
Spotlight
In response to Giuseppe Larosa

‎07-31-2012 08:02 AM

but I thought when doing the match address it would automatically send to the ip where you have done the set peer ?

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to carl_townshend

‎07-31-2012 08:09 AM

Hello Carl,

routing is needed to reach the interface where the crypto map is applied. The encrypted traffic has destination= peer address so at second iteration traffic is routed to peer address.

If no default route exists on the node, the router simply does not know that the traffic before encryption should exit via that interface.

If a default route exists in the node and uses the same interface where the crypto map is applied, no additional routes are needed.

Hope to help

Giuseppe

0 Helpful

Go to solution
Alessio Andreoli
Level 5
Level 5

‎07-31-2012 05:21 AM

hi Carl,

do you really require to encrypt traffic? A service provider which offers L3VPN service or any MPLS-based service is already isolating your traffic from the rest of the world by means of VRF and dedicated redistribution over the BGP-MPLS platform up to the egress router...

Alessio

0 Helpful
Customers Also Viewed These Support Documents