cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
5
Helpful
7
Replies

Selective IPSec Encryption on DMVPNs

aravindhs
Level 1
Level 1

Hello there,

I have a DMVPN with two spokes on an MPLS-L3-IPVPN network. IPSec over GRE using crypto Profiles. WOrks just fine. Now, the requirement is to only encrypt all traffic except DSCP-EF. Tried that using PBR by setting IP-Next Hop for EF-Packets and just normal tunnelled routing for all other traffic.

My question is, i know crypto maps which use ACLs could selectively encrypt traffic across IPSec/GRE tunnels. Crypto profiles don't seem to have that feature. Is there another way of doing this ?

A Config snip from the spoke as below -

===============

interface GigabitEthernet0/0.1
desc LAN i/f
 ip address 10.10.10.1 255.255.255.0
 ip policy route-map pbr

interface Tunnel100
 ip address 172.16.254.13 255.255.254.0
 no ip redirects
 ip nhrp map 172.16.254.1 103.106.169.10
 ip nhrp map multicast 103.106.169.10
 ip nhrp network-id 1
 ip nhrp nhs 172.16.254.1
 ip nhrp shortcut
 keepalive 10 3
 tunnel source GigabitEthernet0/1.401
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN-Crypto
end

router eig 1
no auto
net 172.16.254.0 0.0.1.255
eigrp log-neighbor-warnings
eigrp log-neighbor-changes
!router-id
net 10.10.10.0 0.0.0.255

route-map pbr permit 10
 match ip address pbr
 set ip next-hop 11.2.100.2
!
route-map pbr permit 20

ip access-list extended pbr
 permit icmp host 10.10.10.5 host 15.1.1.1 dscp ef
 permit icmp host 10.10.10.5 host 15.1.1.1 dscp 41
 deny   ip any any log

===============

Please note - the routing table only contains a default route learnt via EIGRP. So, if the PBR entry 10 passes, policy would forward to the Next-hop (PE). Or else, it would use 0/0 and route thro' the tunnel.

Many thanks in advance !

Cheers
Aravind

1 Accepted Solution

Accepted Solutions

With DMVPN, no.  You would have to go back to using just crypto maps, which only use access-lists to control what is and is not encrypted.

If the "EF" traffic was from dedicated VoIP subnets then you would have more options, as you could simply choose not to route those subnets over the Tunnel.

View solution in original post

7 Replies 7

Philip D'Ath
VIP Alumni
VIP Alumni

Don't do that.  If you want to preserve the QoS markings on the outer packets use this intead on the tunnel interfaces:

interface Tunnel x
  qos pre-classify

http://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-policing/10106-qos-tunnel.html#qoscomm

I found this article as well describing with QoS markings are copied from the inner packets to the outer IPSec header.

https://cciethebeginning.wordpress.com/2011/02/02/qos-and-ipsec-interactions/

Hello,

Its not about preserving QoS markings across the tunnel i/f. The issue is that I cannot selectively encrypt traffic that goes across the tunnel because crypto profiles do not support ACLs.

So, I had to use PBR on the LAN i/f to direct all EF traffic to the PE (avoiding the routing table's 0/0 which is being learnt via the Tunnel).

I am trying to find out if there are other ways to achieve selective encryption (ie.EF traffic should not be encrypted but all others should be). Not that its not working now but there will be issues when the CPE doesn't have a next-hop IP to a PE (for PPPoE/ADSL type of WAN connections which have a route to the dialer only.

Many thanks,

The PBR you have given looks like it should work to me (at least for icmp traffic marked as EF).

The PBR works fine, yes. On DMVPNs, is there any other ways of doing selective encryption, as crypto profiles don't do acls. If not, then I will stick with PBR. 

Many thanks for your quick response. 

Cheers 

With DMVPN, no.  You would have to go back to using just crypto maps, which only use access-lists to control what is and is not encrypted.

If the "EF" traffic was from dedicated VoIP subnets then you would have more options, as you could simply choose not to route those subnets over the Tunnel.

However I still can not understand why you can't send all the traffic over the tunnel and stick to using simple DMVPN with encryption.  There is no downside.