IPSEC & bridge interface

Unanswered Question
Oct 20th, 2009
User Badges:

Hi all, I have two 2801 that extend my lan using a 2Mbit SDH link.

I have bridged ethernet with serial interfaces on each router. (I can't use L2TPv3 or routing)


Now, how can I do if I want to encrypt traffic between serial interfaces?


I have tried with a crypto map on two serial and an access-list with "ip any any" but doesn't work.


Any suggestion?


Thanks Pasqu.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Tue, 10/20/2009 - 09:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Pasqu


If I am understanding your post correctly you have configured the routers to do forwarding at layer 2 between Ethernet and Serial interfaces on each router and layer 2 forwarding between serial interfaces between routers. This means that you have disabled layer 3 processing of IP on those interfaces. But IPSec is an IP process (running at layer 3). I do not see how you can implement layer 3 IPSec on interfaces forwarding at layer 2.


Perhaps it might be possible to maintain the router config and to implement some external encryptor connecting at the serial interface and have it perform encryption.


HTH


Rick

epasqualotto Tue, 10/20/2009 - 13:31
User Badges:

I have tried also to make a tunnel interface between serials and encrypt it (ipsec over gre).

But next I can't bridge ethernet with tunnel.


Pasqu.

Richard Burts Tue, 10/20/2009 - 13:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Pasqu


Yes the IPSec with GRE wants to encrypt IP (layer 3) packets but you are bridging layer 2 Ethernet frames. So IPSec/GRE will not work. I do not have experience with it, but from what I have read I believe that L2TP may be your best chance at getting this to work - and I know that your original post says that you can not use L2TP. Other than the external encryptors I am not sure what could get this to work.


HTH


Rick

Actions

This Discussion