Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
956
Views
0
Helpful
6
Replies

GETVPN in CsC MPLS

Go to solution
alex.dersch
Level 4
Level 4

‎01-27-2015 01:52 AM - edited ‎02-21-2020 08:02 PM

Hello,

i'm trying to set up a getvpn on a router which is connected on one interface to a mpls backbone. It does LDP with the provider router and BGP with my other sites in the MPLS cloud.

On the other interface i have sub-interfaces which are mapped to VRF's. This interface is connected to a L3 switch which has VRF configuration as well.

In this setup when i ping from the swich loopback to the router loopback within the VRF everything is working.

After enabling the crypto map on the sub interface pointing to the switch the ping fails and i get following message 

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= CUST2/10.10.81.252, src_addr= 10.10.81.5, prot= 1

when i place the crypto map on the interface facing the providers router it is also not working because there is no vrf configured.

Now the $1.000.000 question, is this a supported setup and where do i have to place the crypto map in order to make this setup working.

thanks in advanced

Alex

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to alex.dersch

‎01-28-2015 12:46 AM

Alex, 

GetVPN is a feature meant for CE routers not PEs, unless something changed (I'm mostly out of security space for a year) you're going to have a hard time overcoming the limitations. 

There was a big plan to have crypto maps working as ingress feature, which most likely would have worked pretty nicely here, but I think that with advent of logical interfaces it was sidelined. But anyway we're interested in things that work. 

You can check on the the SP side of this forums whether they have a solution for PE-PE encryption or "encryption as a service" ... there's quite a few discussion on the interwebz, but I have not seen anything meaningful come out of it. 

M. 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-27-2015 06:56 AM

Alex, 

Can you punt a topology digram and config of the before encryption and indication of what you're trying to encrypt? 

Crypto in IOS is egress feature (i.e. has to be enabled on egress interface of cleartext), no go for enabling crypto on interface where MPLS is running (AFAIK). 

PE-PE encryption would be rather a SP feature than a enterprise one. 

M. 

 

0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to Marcin Latosiewicz

‎01-27-2015 07:27 AM

Hi Marcin,

thanks for getting back to me.I the Setup you see i'd like to encrypt customer data from one site to the other. I believe the problem is that there is no outgoing interface for the vrf  on my router. I attached the config of the router as well.

 

regards

Alex

Preview file
3 KB
Preview file
3 KB
Preview file
13 KB
0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to alex.dersch

‎01-27-2015 08:07 AM

Hey Alex, 

 

This interface

FastEthernet0/0.800

is it where you'd expect clear text or encrypted packets to arrive? Looks like it's the cleartext.

 

Indeed you'd need to have some VRF awareness in that setup to make it work, and there's no way you can have ivrf=X and fvrf=global with crypto maps. 

 

M.

 

0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to Marcin Latosiewicz

‎01-27-2015 11:51 PM

Hey Marcin,

 

that's right, traffic from the LAN segment is arriving at Fa0/0.800. I guess with this setup there is no way to encrypt the traffic for the vrf and i have to put another router between the switch and the router facing the providers backbone.

Any other way to provide encryption through the MPLS cloud? It should be scalable, at the end i'll have around 10 vrf in 9 different sites which require a mesh topology.

thanks in advanced.

Alex

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to alex.dersch

‎01-28-2015 12:46 AM

Alex, 

GetVPN is a feature meant for CE routers not PEs, unless something changed (I'm mostly out of security space for a year) you're going to have a hard time overcoming the limitations. 

There was a big plan to have crypto maps working as ingress feature, which most likely would have worked pretty nicely here, but I think that with advent of logical interfaces it was sidelined. But anyway we're interested in things that work. 

You can check on the the SP side of this forums whether they have a solution for PE-PE encryption or "encryption as a service" ... there's quite a few discussion on the interwebz, but I have not seen anything meaningful come out of it. 

M. 

0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to Marcin Latosiewicz

‎01-28-2015 03:03 AM

Hey Macin,

 

thanks for the hints. I will continue searching a solution.

Alex

0 Helpful
Customers Also Viewed These Support Documents