Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
3
Replies

Selective IPSec Encryption on DMVPNs

aravindhs
Level 1
Level 1

‎02-15-2016 04:33 AM - edited ‎03-05-2019 03:20 AM

Hello there,

I have a DMVPN with two spokes on an MPLS-L3-IPVPN network. IPSec over GRE using crypto Profiles. WOrks just fine. Now, the requirement is to only encrypt all traffic except DSCP-EF. Tried that using PBR by setting IP-Next Hop for EF-Packets and just normal tunnelled routing for all other traffic.

My question is, i know crypto maps which use ACLs could selectively encrypt traffic across IPSec/GRE tunnels. Crypto profiles don't seem to have that feature. Is there another way of doing this ?

A Config snip from the spoke as below -

===============

interface GigabitEthernet0/0.1
desc LAN i/f
 ip address 10.10.10.1 255.255.255.0
 ip policy route-map pbr

interface Tunnel100
 ip address 172.16.254.13 255.255.254.0
 no ip redirects
 ip nhrp map 172.16.254.1 103.106.169.10
 ip nhrp map multicast 103.106.169.10
 ip nhrp network-id 1
 ip nhrp nhs 172.16.254.1
 ip nhrp shortcut
 keepalive 10 3
 tunnel source GigabitEthernet0/1.401
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN-Crypto
end

router eig 1
no auto
net 172.16.254.0 0.0.1.255
eigrp log-neighbor-warnings
eigrp log-neighbor-changes
!router-id
net 10.10.10.0 0.0.0.255

route-map pbr permit 10
 match ip address pbr
 set ip next-hop 11.2.100.2
!
route-map pbr permit 20

ip access-list extended pbr
 permit icmp host 10.10.10.5 host 15.1.1.1 dscp ef
 permit icmp host 10.10.10.5 host 15.1.1.1 dscp 41
 deny   ip any any log

===============

Please note - the routing table only contains a default route learnt via EIGRP. So, if the PBR entry 10 passes, policy would forward to the Next-hop (PE). Or else, it would use 0/0 and route thro' the tunnel.

Many thanks in advance !

Cheers
Aravind

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎02-15-2016 07:15 AM

You tell us a little about your situation but not enough about it for us to understand your environment and what is going on. You tell us that you tried using PBR but do not tell us how that turned out. So we are at a bit of a disadvantage here.

You ask a question comparing IPsec/GRE with crypto maps which perhaps we can answer without having much information about your situation. You are correct that with crypto maps you could use the ACL to encrypt some traffic while allowing some other traffic to go through the GRE tunnel unencrypted. And you are correct that with tunnels using protection profiles that you do not have that choice and all traffic going through that tunnel will be encrypted.

My guess is that your attempt to use PBR was not successful. In the config snip that you show us I note that the inside interface does not have NAT enabled. Without NAT it looks like PBR would forward to the PE a packet whose source address was 10.10.10.x and the PE and the provider network probably do not accept that. Alternatives that you could consider which might achieve your requirement would be to 1) provide NAT for the traffic being forwarded to the PE or 2) Configure a standard GRE tunnel from the spoke to the hub and have PBR forward traffic over the GRE which would be unencrypted.

HTH

Rick

HTH

Rick
0 Helpful

aravindhs
Level 1
Level 1
In response to Richard Burts

‎02-16-2016 04:58 AM

Hi Rick,

Thank you for your reply !  PBR works fine. I am the service provider. I manage the CPE devices. No need for NAT as its just a VPN. DMVPN works fine too.

The issue is that I cannot selectively encrypt traffic that goes across the tunnel because crypto profiles do not support ACLs.

So, I had to use PBR on the LAN i/f to direct all EF traffic to the PE (avoiding the routing table's 0/0 which is being learnt via the Tunnel).

I am trying to find out if there are other ways to achieve selective encryption (ie.EF traffic should not be encrypted but all others should be). Not that its not working now but there will be issues when the CPE doesn't have a next-hop IP to a PE (for PPPoE/ADSL type of WAN connections which have a route to the dialer only.

Many thanks,

Aravind

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to aravindhs

‎02-16-2016 06:02 AM

Aravind

I thought I addressed this question when I said " you are correct that with tunnels using protection profiles that you do not have that choice and all traffic going through that tunnel will be encrypted." Perhaps that was not clear. So let me try again. As long as you use tunnel protection profiles all of the traffic going through the tunnel will be encrypted. The only alternative that you have is to change the routing logic so that EF traffic is not routed through the tunnel. And the only way that I know of to achieve that is to use PBR.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card