collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: IPSEC vrf mpls two router tunnel on behalf of J Peterson  (Read 8291 times)

Offline Administrator

  • Administrator
  • Cisco King
  • *****
  • Posts: 58
  • Reputation: 1000
  • Certification: N/A
IPSEC vrf mpls two router tunnel on behalf of J Peterson
« on: January 30, 2014, 11:42:24 PM »
Do you have a configuration for a mpls tunnel between two routers secured by IPSEC possibly with vrfs? Thank you.

Offline Administrator

  • Administrator
  • Cisco King
  • *****
  • Posts: 58
  • Reputation: 1000
  • Certification: N/A
Re: IPSEC vrf mpls two router tunnel on behalf of J Peterson
« Reply #1 on: January 30, 2014, 11:46:40 PM »
Can you please elaborate on the setup and what you are trying to achieve? Are you refering to MPLS VPN or MPLS TE tunnel. If MPLS VPN, are you configuring your two routers as PE devices? For securing MPLS VPN traffic, IPSec is usually configured on CE devices and the IPSec header will go behind the MPLS header.

Offline jpeters092

  • Cisco Newbie
  • *
  • Posts: 4
  • Reputation: 0
  • Certification: N/A
Re: IPSEC vrf mpls two router tunnel on behalf of J Peterson
« Reply #2 on: January 31, 2014, 05:36:56 AM »
 Here are the configs for the two PE routers with the mpls tunnel. The traffic in wireshark shows the mpls label but is not encrypted. I would like to do the IPSEC VTI on the PE routers as well as the mpls with the layer 2 tunnel on the Gig 0/1  interfaces. I was hoping there is a way of making a point to point tunnel similar to an encrypted  VPLS with the CE routers able to be in the same subnet with no encryption or routing. Thank you.

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M3.bin
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
!
no network-clock-participate wic 0
no network-clock-participate wic 1
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!

!
redundancy
!
!
controller T1 0/0/0
!
controller T1 0/0/1
!
controller T1 0/1/0
!
controller T1 0/1/1
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.128
 ip ospf network point-to-point
!
interface GigabitEthernet0/0
 ip address 192.168.70.2 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 mpls ip
 xconnect 4.4.4.4 15 encapsulation mpls
!
interface Serial0/2/0
 no ip address
 shutdown
 no fair-queue
 clock rate 2000000
!
interface Serial0/3/0
 no ip address
 shutdown
!
router ospf 1
 passive-interface GigabitEthernet0/1
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
 transport input all
!
scheduler allocate 20000 1000
end



version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE2
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M3.bin
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
!
no network-clock-participate wic 1
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!

redundancy
!
!
controller T1 0/1/0
!
controller T1 0/1/1
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.128
 ip ospf network point-to-point
!
interface GigabitEthernet0/0
 ip address 192.168.70.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 mpls ip
 xconnect 2.2.2.2 15 encapsulation mpls
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
 clock rate 2000000
!
interface Serial0/2/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/3/0
 no ip address
 shutdown
!
router ospf 1
 passive-interface GigabitEthernet0/1
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
 transport input all
!
scheduler allocate 20000 1000
end



Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 398
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: IPSEC vrf mpls two router tunnel on behalf of J Peterson
« Reply #3 on: February 01, 2014, 08:36:52 PM »
You are not allowed to view links. Register or Login
Here are the configs for the two PE routers with the mpls tunnel. The traffic in wireshark shows the mpls label but is not encrypted. I would like to do the IPSEC VTI on the PE routers as well as the mpls with the layer 2 tunnel on the Gig 0/1  interfaces. I was hoping there is a way of making a point to point tunnel similar to an encrypted  VPLS with the CE routers able to be in the same subnet with no encryption or routing. Thank you.

I do not recall ever coming across configuration that allows you to encrypt MPLS traffic from PE to PE unless you do GRE over IPsec then run MPLS on top of that. Traffic encryption is usually the client responsibility and there is technologies like GETVPN for that.

Offline jpeters092

  • Cisco Newbie
  • *
  • Posts: 4
  • Reputation: 0
  • Certification: N/A
Re: IPSEC vrf mpls two router tunnel on behalf of J Peterson
« Reply #4 on: February 14, 2014, 09:28:23 PM »
Thank you.

 

Related Topics

  Subject / Started by Replies Last post
2 Replies
10037 Views
Last post August 18, 2013, 05:59:34 PM
by MC
1 Replies
7386 Views
Last post February 14, 2014, 11:06:58 PM
by MC
1 Replies
7228 Views
Last post July 20, 2014, 05:14:58 PM
by MC
1 Replies
5982 Views
Last post May 15, 2015, 05:55:19 AM
by MC
4 Replies
10459 Views
Last post February 05, 2018, 01:40:43 PM
by amsa

SimplePortal 2.3.7 © 2008-2024, SimplePortal