Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

What's the right IPSec architecture in this case?

I need to set up IPSec tunnels between my internal network and a remote client network. Carriers' MPLS cloud is in between. Here is how it looks:

My internal net --- my edge rtr --- carrier edge rtr --- (carrier cloud) --- carrier edge rtr --- client edge rtr --- client net

Should I set up IPSec on the carrier rtr's interfaces across from their cloud or on the interfaces of my edge rtr and client's edge rtr?

It may make better sense to do it on the carrier's routers but that would have to work through carriers (time consuming). If I do it on my router and client's router, do it still have to have IPSec config added to the carrier's routers?

Thanks a lot



Re: What's the right IPSec architecture in this case?

providing all the routing have already been configured on the isp routers, then it would be better to configure vpn on your routers.

for one, it's time consuming for isp to configure the vpn as you mentioned. for two, it would be more flexible providing you have full control with the vpn.

in fact, assuming the vpn is configured between your routers, isp routers needs no extra config.

New Member

Re: What's the right IPSec architecture in this case?

The reson to create IPSec tunnel is to protect data over shared link.

If carrier edge rtr is managed by you then you can have either of the option.

- Navnit

CreatePlease login to create content