Lab Minutes Forum
Technical Discussion => Security => Topic started by: Administrator on January 30, 2014, 11:42:24 PM
-
Do you have a configuration for a mpls tunnel between two routers secured by IPSEC possibly with vrfs? Thank you.
-
Can you please elaborate on the setup and what you are trying to achieve? Are you refering to MPLS VPN or MPLS TE tunnel. If MPLS VPN, are you configuring your two routers as PE devices? For securing MPLS VPN traffic, IPSec is usually configured on CE devices and the IPSec header will go behind the MPLS header.
-
Here are the configs for the two PE routers with the mpls tunnel. The traffic in wireshark shows the mpls label but is not encrypted. I would like to do the IPSEC VTI on the PE routers as well as the mpls with the layer 2 tunnel on the Gig 0/1 interfaces. I was hoping there is a way of making a point to point tunnel similar to an encrypted VPLS with the CE routers able to be in the same subnet with no encryption or routing. Thank you.
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M3.bin
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
!
no network-clock-participate wic 0
no network-clock-participate wic 1
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
!
redundancy
!
!
controller T1 0/0/0
!
controller T1 0/0/1
!
controller T1 0/1/0
!
controller T1 0/1/1
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.128
ip ospf network point-to-point
!
interface GigabitEthernet0/0
ip address 192.168.70.2 255.255.255.0
duplex auto
speed auto
mpls ip
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
mpls ip
xconnect 4.4.4.4 15 encapsulation mpls
!
interface Serial0/2/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/3/0
no ip address
shutdown
!
router ospf 1
passive-interface GigabitEthernet0/1
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
transport input all
!
scheduler allocate 20000 1000
end
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE2
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M3.bin
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
!
no network-clock-participate wic 1
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
redundancy
!
!
controller T1 0/1/0
!
controller T1 0/1/1
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.128
ip ospf network point-to-point
!
interface GigabitEthernet0/0
ip address 192.168.70.3 255.255.255.0
duplex auto
speed auto
mpls ip
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
mpls ip
xconnect 2.2.2.2 15 encapsulation mpls
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/2/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3/0
no ip address
shutdown
!
router ospf 1
passive-interface GigabitEthernet0/1
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
transport input all
!
scheduler allocate 20000 1000
end
-
Here are the configs for the two PE routers with the mpls tunnel. The traffic in wireshark shows the mpls label but is not encrypted. I would like to do the IPSEC VTI on the PE routers as well as the mpls with the layer 2 tunnel on the Gig 0/1 interfaces. I was hoping there is a way of making a point to point tunnel similar to an encrypted VPLS with the CE routers able to be in the same subnet with no encryption or routing. Thank you.
I do not recall ever coming across configuration that allows you to encrypt MPLS traffic from PE to PE unless you do GRE over IPsec then run MPLS on top of that. Traffic encryption is usually the client responsibility and there is technologies like GETVPN for that.
-
Thank you.