IPSec VPN to MPLS (PE)

Unanswered Question
Aug 23rd, 2009

Guys, Is that possible to setup site-tosite IPsec VPN to an MPLS enabled router using Cisco ASA (ASA5520--> MPLS)? Is there any configuration problem I need to be aware?

Many thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Mon, 08/24/2009 - 08:55

Hello Benjamin,

Can you explain in more detail what you are trying to achieve? In a usual MPLS VPN data service provided to you by your ISP, you do not see any MPLS - it is only inside the ISP/s network - so you can treat the existing VPN simply as a pure IP network. Setting up an ASA-provided IPsec tunnel should not be a problem.

Please try to be more specific as to what posibition should the ASA be - the C or CE router? - and also, on what device should that tunnel terminate - on another CE router, or a different one?

Best regards,

Peter

benjamingarcia Mon, 08/24/2009 - 15:42

Apology for not being clear (MPLS is not my expertise). Basically, we have requested our hosting provider to create an IPSec tunnel between two sites. Our end is ASA5520 but the other end (hosting site)seems to be an MPLS VPN based on the configuration they have sent to us that is why I asked whether it is possible to terminate an IPsec VPN coming from ASA5520 into an MPLS VPN router interface. Do I make sense now? Many thanks for the reply.

shivlu jain Mon, 08/24/2009 - 21:20

I think MPLS doesn't known to ASA 5520. It would be better if SP is providing MPLS and it has nothing to do with CPE end.

regards

shivlu jain

Peter Paluch Tue, 08/25/2009 - 01:23

Benjamin,

Would it be possible for you to post here the configuration your ISP has given you for the remote end? It would probably be more clear then.

The usual practice with MPLS VPNs is that only provider's routers are running MPLS. The internal routers are called P (provider), the edge routers connecting to customers are called PE (provider edge). Both P and PE are managed by ISP and they run MPLS. The routers in customer's posession are similarly called CE (customer edge) and C (customer) but none of customer routers run MPLS. Sometimes a CE router can also be managed by ISP, it depends largely on the type of support contract.

I am basically trying to find out what is the type and present configuration of the other endpoint - whether it is an PE (I strongly doubt this!), CE or C router. The configuration that your ISP has given you might help to solve this question.

Best regards,

Peter

Giuseppe Larosa Tue, 08/25/2009 - 11:33

Hello Peter/Benjamin,

I think the provider is suggesting that is going to use VRF aware IPSec to provide a backup path via the internet.

This shouldn't be a problem for the ASA if the other device just uses IPSec in the communication no MPLS is really used.

Simply the internal network will be inside a VRF like it is the regular site.

Hope to help

Giuseppe

Peter Paluch Tue, 08/25/2009 - 14:03

Hello Giuseppe,

Nice to hear from you again :-)

I was thinking about a similar idea as you indicated. I hope that the configuration that the ISP gave to Ben will ultimately explain what is this going to be.

Best regards,

Peter

benjamingarcia Tue, 08/25/2009 - 15:38

Thank you all for all your input.

One thing to clear, our ASA is seating behind our ISP router and the hosting provider is located somewhere in the internet (outside our ISP network)

here is the config sent by the hosting provider, which i believe is an MPLS VPN configuration. The engineer is trying to terminate our ASA IPsec VPN into this config. Will it work?

ip vrf vs319776

description vfi240 - CLIENT1 vs319776

rd 7496:319776

maximum routes 10 100

crypto keyring vs319776

pre-shared-key address 203.x.x.7 key --omitted--

crypto isakmp profile vs319776

vrf vs319776

keyring vs319776

match identity address 203.x.x.7 255.255.255.255

keepalive 10 retry 2

crypto dynamic-map VPN 390

set transform-set 3dessha 3desmd5

set isakmp-profile vs319776

match address vs319776

reverse-route

interface FastEthernet2/0.673

ip vrf forwarding vs319776

ip route vrf vs319776 210.x.x.192 255.255.255.255 202.x.x.206

ip route vrf vs319776 210.x.x.200 255.255.255.255 202.x.x.206

ip access-list extended vs319776

permit ip 10.1.1.192 0.0.0.7 202.x.x.206 0.0.0.7

permit ip 10.1.1.200 0.0.0.7 202.x.x5.206 0.0.0.7

deny ip host 0.0.0.0 any

end

Our ASA configuration is the normal ASA IPsecl2l config.

Peter Paluch Wed, 08/26/2009 - 01:44

Hello Benjamin,

This should work without any problems. The configuration your hosting provider sent you simply shows that he is creating a separate routing table (the VRF vs319776) for you but the remainder of the configuration is mostly usual, except that all crypto configuration on his part has to be tied to the specific VRF. You should configure your ASA as usual without any special configuration regarding MPLS or any of this stuff.

Best regards,

Peter

Actions

This Discussion