01-27-2015 01:52 AM - edited 02-21-2020 08:02 PM
Hello,
i'm trying to set up a getvpn on a router which is connected on one interface to a mpls backbone. It does LDP with the provider router and BGP with my other sites in the MPLS cloud.
On the other interface i have sub-interfaces which are mapped to VRF's. This interface is connected to a L3 switch which has VRF configuration as well.
In this setup when i ping from the swich loopback to the router loopback within the VRF everything is working.
After enabling the crypto map on the sub interface pointing to the switch the ping fails and i get following message
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= CUST2/10.10.81.252, src_addr= 10.10.81.5, prot= 1
when i place the crypto map on the interface facing the providers router it is also not working because there is no vrf configured.
Now the $1.000.000 question, is this a supported setup and where do i have to place the crypto map in order to make this setup working.
thanks in advanced
Alex
Solved! Go to Solution.
01-28-2015 12:46 AM
Alex,
GetVPN is a feature meant for CE routers not PEs, unless something changed (I'm mostly out of security space for a year) you're going to have a hard time overcoming the limitations.
There was a big plan to have crypto maps working as ingress feature, which most likely would have worked pretty nicely here, but I think that with advent of logical interfaces it was sidelined. But anyway we're interested in things that work.
You can check on the the SP side of this forums whether they have a solution for PE-PE encryption or "encryption as a service" ... there's quite a few discussion on the interwebz, but I have not seen anything meaningful come out of it.
M.
01-27-2015 06:56 AM
Alex,
Can you punt a topology digram and config of the before encryption and indication of what you're trying to encrypt?
Crypto in IOS is egress feature (i.e. has to be enabled on egress interface of cleartext), no go for enabling crypto on interface where MPLS is running (AFAIK).
PE-PE encryption would be rather a SP feature than a enterprise one.
M.
01-27-2015 07:27 AM
Hi Marcin,
thanks for getting back to me.I the Setup you see i'd like to encrypt customer data from one site to the other. I believe the problem is that there is no outgoing interface for the vrf on my router. I attached the config of the router as well.
regards
Alex
01-27-2015 08:07 AM
Hey Alex,
This interface
FastEthernet0/0.800
is it where you'd expect clear text or encrypted packets to arrive? Looks like it's the cleartext.
Indeed you'd need to have some VRF awareness in that setup to make it work, and there's no way you can have ivrf=X and fvrf=global with crypto maps.
M.
01-27-2015 11:51 PM
Hey Marcin,
that's right, traffic from the LAN segment is arriving at Fa0/0.800. I guess with this setup there is no way to encrypt the traffic for the vrf and i have to put another router between the switch and the router facing the providers backbone.
Any other way to provide encryption through the MPLS cloud? It should be scalable, at the end i'll have around 10 vrf in 9 different sites which require a mesh topology.
thanks in advanced.
Alex
01-28-2015 12:46 AM
Alex,
GetVPN is a feature meant for CE routers not PEs, unless something changed (I'm mostly out of security space for a year) you're going to have a hard time overcoming the limitations.
There was a big plan to have crypto maps working as ingress feature, which most likely would have worked pretty nicely here, but I think that with advent of logical interfaces it was sidelined. But anyway we're interested in things that work.
You can check on the the SP side of this forums whether they have a solution for PE-PE encryption or "encryption as a service" ... there's quite a few discussion on the interwebz, but I have not seen anything meaningful come out of it.
M.
01-28-2015 03:03 AM
Hey Macin,
thanks for the hints. I will continue searching a solution.
Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide