Re: IPSEC over MPLS (CE-to-CE) from Joe Astorino on 2012-06-15 (Ccielab archives 06/2012)

From: Joe Astorino <joeastorino1982_at_gmail.com>
Date: Fri, 15 Jun 2012 10:48:48 -0400

Mahmoud,

While your solution is something most of us would consider "duct tape
and twine" I have seen that exact configuration work over an MPLS
network. GRE over IPSEC over MPLS using VTI. It is simple...not
eloquent but simple and it works.

On Fri, Jun 15, 2012 at 7:18 AM, Alexei Monastyrnyi <alexeim73_at_gmail.com> wrote:
> Hi.
> Your setup is quite generic and MPLS network is actually transparent to
> you so you can basically apply any of IPSec VPN solutions. Just pick the
> one you are most comfortable supporting, starting with static crypto may
> on PE-facing interfaces of CEs. If you have any scalability in mind for
> the future you might have a look at sVTI with IPSec protection or DMVPN.
>
> In your shoes I would build a quick Dynamips setup with two PEs
> connected back to back and two CEs peering with PEs. Try different IPSec
> setups between the CEs and see which one you like best.
>
> GETVPN is a bit of an overkill for point to point tunnel IMO.
>
> HTH
> A.
>
> On 6/15/2012 2:56 PM, Mahmoud Genidy wrote:
>> Hi Team,
>>
>> I'm looking for the simplest way to configure an IPSEC over MPLS CE-to-CE.
>>
>> It is just a point to point MPLS link (Two sites). Routing CE to PE is BGP
>> in both sides. Routes between the two sites are currently interchanged
>> through redistribution inside the BGP at both sites.
>>
>> As of my best understanding, what I plan to do is:
>>
>> - Configure a GRE tunnel between the two CE routers in which the IPSEC
>> encryption will be applied.
>>
>> - Configure a second routing protocol to run over the GRE tunnel to
>> interchange routes between the two sites, for example OSPF
>>
>> - Configure a static route in each site to reach the other end's tunnel
>> source through the MPLS link
>>
>> - No routes need to be interchanged through the MPLS "BGP" link, may be
>> only a default route
>>
>> Would any one validate/recommend other solution?
>>
>> Cheers
>> Mahmoud
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net

Received on Fri Jun 15 2012 - 10:48:48 ART

This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART