GET VPN and MPLS CORE

jcarvalh · ‎11-17-2014

Hello.

I am doing some tests in which I am trying to have a BGP Core Free setup with GET VPN

I have three routers R1-------R2------R3.

R1 and R3 are the BGP speakers (OSPF+MPLS+BGP); R2 only has OSPF and MPLS configured and itis also the KS for GetVPN.

The setup works fine until I apply crypto maps to R1 and R3 interfaces that are facing R2.

Anyone had this problem before?

When I do a debug ip icmp on R3 I see a packet stating that the router sees the ping but that the traffic is not encrypted.

I use the following ACL on R2 to encrypt traffic:

access-list 100 deny   ospf any any
access-list 100 deny   tcp any eq bgp any
access-list 100 deny   tcp any any eq bgp
access-list 100 deny   udp any eq 848 any eq 848
access-list 100 deny   udp any any eq 646
access-list 100 deny   udp any eq 646 any
access-list 100 deny   tcp any eq 646 any
access-list 100 deny   tcp any any eq 646
access-list 100 deny   udp any eq ntp any
access-list 100 deny   udp any any eq ntp
access-list 100 permit ip any any

Thanks,

João Carvalho.

jcarvalh · ‎11-17-2014

By the way, since I am seeing my ICMP packet arriving to R3 from R1, I am assuming that GETVPN and LDP are compatible technologies.

JC

jcarvalh · ‎11-21-2014

If I have only OSPF running between the router (no BGP) it does not work if I enable LDP. It seems na issue between GET VPN and LDP

Regards,

João.

jcarvalh · ‎11-23-2014

Hello.

IPsec only encrypts IP packet not labeled packets. I was hoping that the routers would put the label only after encryption of IP packet but encryption comes after labeling.