Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
5
Helpful
7
Replies

Selective IPSec Encryption on DMVPNs

Go to solution
aravindhs
Level 1
Level 1

‎02-15-2016 03:49 AM - edited ‎02-21-2020 08:41 PM

Hello there,

I have a DMVPN with two spokes on an MPLS-L3-IPVPN network. IPSec over GRE using crypto Profiles. WOrks just fine. Now, the requirement is to only encrypt all traffic except DSCP-EF. Tried that using PBR by setting IP-Next Hop for EF-Packets and just normal tunnelled routing for all other traffic.

My question is, i know crypto maps which use ACLs could selectively encrypt traffic across IPSec/GRE tunnels. Crypto profiles don't seem to have that feature. Is there another way of doing this ?

A Config snip from the spoke as below -

===============

interface GigabitEthernet0/0.1
desc LAN i/f
 ip address 10.10.10.1 255.255.255.0
 ip policy route-map pbr

interface Tunnel100
 ip address 172.16.254.13 255.255.254.0
 no ip redirects
 ip nhrp map 172.16.254.1 103.106.169.10
 ip nhrp map multicast 103.106.169.10
 ip nhrp network-id 1
 ip nhrp nhs 172.16.254.1
 ip nhrp shortcut
 keepalive 10 3
 tunnel source GigabitEthernet0/1.401
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN-Crypto
end

router eig 1
no auto
net 172.16.254.0 0.0.1.255
eigrp log-neighbor-warnings
eigrp log-neighbor-changes
!router-id
net 10.10.10.0 0.0.0.255

route-map pbr permit 10
 match ip address pbr
 set ip next-hop 11.2.100.2
!
route-map pbr permit 20

ip access-list extended pbr
 permit icmp host 10.10.10.5 host 15.1.1.1 dscp ef
 permit icmp host 10.10.10.5 host 15.1.1.1 dscp 41
 deny   ip any any log

===============

Please note - the routing table only contains a default route learnt via EIGRP. So, if the PBR entry 10 passes, policy would forward to the Next-hop (PE). Or else, it would use 0/0 and route thro' the tunnel.

Many thanks in advance !

Cheers
Aravind

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to aravindhs

‎02-16-2016 11:07 AM

With DMVPN, no.  You would have to go back to using just crypto maps, which only use access-lists to control what is and is not encrypted.

If the "EF" traffic was from dedicated VoIP subnets then you would have more options, as you could simply choose not to route those subnets over the Tunnel.

View solution in original post

7 Replies 7

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-15-2016 12:13 PM

Don't do that.  If you want to preserve the QoS markings on the outer packets use this intead on the tunnel interfaces:

interface Tunnel x
  qos pre-classify

http://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-policing/10106-qos-tunnel.html#qoscomm

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎02-15-2016 12:14 PM

I found this article as well describing with QoS markings are copied from the inner packets to the outer IPSec header.

https://cciethebeginning.wordpress.com/2011/02/02/qos-and-ipsec-interactions/

0 Helpful

Go to solution
aravindhs
Level 1
Level 1
In response to Philip D'Ath

‎02-16-2016 05:25 AM

Hello,

Its not about preserving QoS markings across the tunnel i/f. The issue is that I cannot selectively encrypt traffic that goes across the tunnel because crypto profiles do not support ACLs.

So, I had to use PBR on the LAN i/f to direct all EF traffic to the PE (avoiding the routing table's 0/0 which is being learnt via the Tunnel).

I am trying to find out if there are other ways to achieve selective encryption (ie.EF traffic should not be encrypted but all others should be). Not that its not working now but there will be issues when the CPE doesn't have a next-hop IP to a PE (for PPPoE/ADSL type of WAN connections which have a route to the dialer only.

Many thanks,

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to aravindhs

‎02-16-2016 10:47 AM

The PBR you have given looks like it should work to me (at least for icmp traffic marked as EF).

0 Helpful

Go to solution
aravindhs
Level 1
Level 1
In response to Philip D'Ath

‎02-16-2016 10:57 AM

The PBR works fine, yes. On DMVPNs, is there any other ways of doing selective encryption, as crypto profiles don't do acls. If not, then I will stick with PBR. 

Many thanks for your quick response. 

Cheers 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to aravindhs

‎02-16-2016 11:07 AM

With DMVPN, no.  You would have to go back to using just crypto maps, which only use access-lists to control what is and is not encrypted.

If the "EF" traffic was from dedicated VoIP subnets then you would have more options, as you could simply choose not to route those subnets over the Tunnel.

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to aravindhs

‎02-16-2016 11:08 AM

However I still can not understand why you can't send all the traffic over the tunnel and stick to using simple DMVPN with encryption.  There is no downside.

0 Helpful
Customers Also Viewed These Support Documents