02-15-2016 04:33 AM - edited 03-05-2019 03:20 AM
Hello there,
I have a DMVPN with two spokes on an MPLS-L3-IPVPN network. IPSec over GRE using crypto Profiles. WOrks just fine. Now, the requirement is to only encrypt all traffic except DSCP-EF. Tried that using PBR by setting IP-Next Hop for EF-Packets and just normal tunnelled routing for all other traffic.
My question is, i know crypto maps which use ACLs could selectively encrypt traffic across IPSec/GRE tunnels. Crypto profiles don't seem to have that feature. Is there another way of doing this ?
A Config snip from the spoke as below -
===============
interface GigabitEthernet0/0.1
desc LAN i/f
ip address 10.10.10.1 255.255.255.0
ip policy route-map pbr
interface Tunnel100
ip address 172.16.254.13 255.255.254.0
no ip redirects
ip nhrp map 172.16.254.1 103.106.169.10
ip nhrp map multicast 103.106.169.10
ip nhrp network-id 1
ip nhrp nhs 172.16.254.1
ip nhrp shortcut
keepalive 10 3
tunnel source GigabitEthernet0/1.401
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN-Crypto
end
router eig 1
no auto
net 172.16.254.0 0.0.1.255
eigrp log-neighbor-warnings
eigrp log-neighbor-changes
!router-id
net 10.10.10.0 0.0.0.255
route-map pbr permit 10
match ip address pbr
set ip next-hop 11.2.100.2
!
route-map pbr permit 20
ip access-list extended pbr
permit icmp host 10.10.10.5 host 15.1.1.1 dscp ef
permit icmp host 10.10.10.5 host 15.1.1.1 dscp 41
deny ip any any log
===============
Please note - the routing table only contains a default route learnt via EIGRP. So, if the PBR entry 10 passes, policy would forward to the Next-hop (PE). Or else, it would use 0/0 and route thro' the tunnel.
Many thanks in advance !
Cheers
Aravind
02-15-2016 07:15 AM
You tell us a little about your situation but not enough about it for us to understand your environment and what is going on. You tell us that you tried using PBR but do not tell us how that turned out. So we are at a bit of a disadvantage here.
You ask a question comparing IPsec/GRE with crypto maps which perhaps we can answer without having much information about your situation. You are correct that with crypto maps you could use the ACL to encrypt some traffic while allowing some other traffic to go through the GRE tunnel unencrypted. And you are correct that with tunnels using protection profiles that you do not have that choice and all traffic going through that tunnel will be encrypted.
My guess is that your attempt to use PBR was not successful. In the config snip that you show us I note that the inside interface does not have NAT enabled. Without NAT it looks like PBR would forward to the PE a packet whose source address was 10.10.10.x and the PE and the provider network probably do not accept that. Alternatives that you could consider which might achieve your requirement would be to 1) provide NAT for the traffic being forwarded to the PE or 2) Configure a standard GRE tunnel from the spoke to the hub and have PBR forward traffic over the GRE which would be unencrypted.
HTH
Rick
02-16-2016 04:58 AM
Hi Rick,
Thank you for your reply ! PBR works fine. I am the service provider. I manage the CPE devices. No need for NAT as its just a VPN. DMVPN works fine too.
The issue is that I cannot selectively encrypt traffic that goes across the tunnel because crypto profiles do not support ACLs.
So, I had to use PBR on the LAN i/f to direct all EF traffic to the PE (avoiding the routing table's 0/0 which is being learnt via the Tunnel).
I am trying to find out if there are other ways to achieve selective encryption (ie.EF traffic should not be encrypted but all others should be). Not that its not working now but there will be issues when the CPE doesn't have a next-hop IP to a PE (for PPPoE/ADSL type of WAN connections which have a route to the dialer only.
Many thanks,
Aravind
02-16-2016 06:02 AM
Aravind
I thought I addressed this question when I said " you are correct that with tunnels using protection profiles that you do not have that choice and all traffic going through that tunnel will be encrypted." Perhaps that was not clear. So let me try again. As long as you use tunnel protection profiles all of the traffic going through the tunnel will be encrypted. The only alternative that you have is to change the routing logic so that EF traffic is not routed through the tunnel. And the only way that I know of to achieve that is to use PBR.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide