Lab Minutes Forum

Technical Discussion => Security => Topic started by: Administrator on January 30, 2014, 11:42:24 PM

Title: IPSEC vrf mpls two router tunnel on behalf of J Peterson
Post by: Administrator on January 30, 2014, 11:42:24 PM
Do you have a configuration for a mpls tunnel between two routers secured by IPSEC possibly with vrfs? Thank you.
Title: Re: IPSEC vrf mpls two router tunnel on behalf of J Peterson
Post by: Administrator on January 30, 2014, 11:46:40 PM
Can you please elaborate on the setup and what you are trying to achieve? Are you refering to MPLS VPN or MPLS TE tunnel. If MPLS VPN, are you configuring your two routers as PE devices? For securing MPLS VPN traffic, IPSec is usually configured on CE devices and the IPSec header will go behind the MPLS header.
Title: Re: IPSEC vrf mpls two router tunnel on behalf of J Peterson
Post by: jpeters092 on January 31, 2014, 05:36:56 AM
 Here are the configs for the two PE routers with the mpls tunnel. The traffic in wireshark shows the mpls label but is not encrypted. I would like to do the IPSEC VTI on the PE routers as well as the mpls with the layer 2 tunnel on the Gig 0/1  interfaces. I was hoping there is a way of making a point to point tunnel similar to an encrypted  VPLS with the CE routers able to be in the same subnet with no encryption or routing. Thank you.

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M3.bin
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
!
no network-clock-participate wic 0
no network-clock-participate wic 1
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!

!
redundancy
!
!
controller T1 0/0/0
!
controller T1 0/0/1
!
controller T1 0/1/0
!
controller T1 0/1/1
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.128
 ip ospf network point-to-point
!
interface GigabitEthernet0/0
 ip address 192.168.70.2 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 mpls ip
 xconnect 4.4.4.4 15 encapsulation mpls
!
interface Serial0/2/0
 no ip address
 shutdown
 no fair-queue
 clock rate 2000000
!
interface Serial0/3/0
 no ip address
 shutdown
!
router ospf 1
 passive-interface GigabitEthernet0/1
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
 transport input all
!
scheduler allocate 20000 1000
end



version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE2
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M3.bin
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
!
no network-clock-participate wic 1
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!

redundancy
!
!
controller T1 0/1/0
!
controller T1 0/1/1
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.128
 ip ospf network point-to-point
!
interface GigabitEthernet0/0
 ip address 192.168.70.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 mpls ip
 xconnect 2.2.2.2 15 encapsulation mpls
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
 clock rate 2000000
!
interface Serial0/2/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/3/0
 no ip address
 shutdown
!
router ospf 1
 passive-interface GigabitEthernet0/1
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
 transport input all
!
scheduler allocate 20000 1000
end


Title: Re: IPSEC vrf mpls two router tunnel on behalf of J Peterson
Post by: MC on February 01, 2014, 08:36:52 PM
You are not allowed to view links. Register or Login
Here are the configs for the two PE routers with the mpls tunnel. The traffic in wireshark shows the mpls label but is not encrypted. I would like to do the IPSEC VTI on the PE routers as well as the mpls with the layer 2 tunnel on the Gig 0/1  interfaces. I was hoping there is a way of making a point to point tunnel similar to an encrypted  VPLS with the CE routers able to be in the same subnet with no encryption or routing. Thank you.

I do not recall ever coming across configuration that allows you to encrypt MPLS traffic from PE to PE unless you do GRE over IPsec then run MPLS on top of that. Traffic encryption is usually the client responsibility and there is technologies like GETVPN for that.
Title: Re: IPSEC vrf mpls two router tunnel on behalf of J Peterson
Post by: jpeters092 on February 14, 2014, 09:28:23 PM
Thank you.
SimplePortal 2.3.7 © 2008-2024, SimplePortal