Re: IPSEC over MPLS (CE-to-CE)

Hi.
Your setup is quite generic and MPLS network is actually transparent to
you so you can basically apply any of IPSec VPN solutions. Just pick the
one you are most comfortable supporting, starting with static crypto may
on PE-facing interfaces of CEs. If you have any scalability in mind for
the future you might have a look at sVTI with IPSec protection or DMVPN.

In your shoes I would build a quick Dynamips setup with two PEs
connected back to back and two CEs peering with PEs. Try different IPSec
setups between the CEs and see which one you like best.

GETVPN is a bit of an overkill for point to point tunnel IMO.

HTH
A.

On 6/15/2012 2:56 PM, Mahmoud Genidy wrote:
> Hi Team,
>
> I'm looking for the simplest way to configure an IPSEC over MPLS CE-to-CE.
>
> It is just a point to point MPLS link (Two sites). Routing CE to PE is BGP
> in both sides. Routes between the two sites are currently interchanged
> through redistribution inside the BGP at both sites.
>
> As of my best understanding, what I plan to do is:
>
> - Configure a GRE tunnel between the two CE routers in which the IPSEC
> encryption will be applied.
>
> - Configure a second routing protocol to run over the GRE tunnel to
> interchange routes between the two sites, for example OSPF
>
> - Configure a static route in each site to reach the other end's tunnel
> source through the MPLS link
>
> - No routes need to be interchanged through the MPLS "BGP" link, may be
> only a default route
>
> Would any one validate/recommend other solution?
>
> Cheers
> Mahmoud
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 15 2012 - 21:18:14 ART