I don't quite understand your use-case. What utility does the tunnel provide to you? Do you have different IP addresses from different upstreams? Why is crypto needed for backup/redundancy, but not for in-line? Why would the tunnels keep working, if in-line is not working?
In any case, I don't think ASR9k has linecards that do IPSEC on hardware, like you said, you'd need a service card. Some other platforms, like JNPR MX, would be able to do MACSEC and specific forms of IPSEC on same linecard hardware. On Tue, 26 Nov 2024 at 21:45, Bryan Holloway via cisco-nsp <[email protected]> wrote: > > Ok ... so looks like one needs a VSM card to do anything IPsec-ish on > the ASR9ks. > > So that rules that out. > > If anyone has any clever ideas, though, I'm all ears. > > Apologies for the noise. > > > On 11/26/24 20:30, Bryan Holloway via cisco-nsp wrote: > > Follow-up: > > > > So supposedly one CAN run OSPF across an IPsec tunnel if you use non- > > broadcast mode, but I'm nervous about crypto ACLs and the potential > > ongoing maintenance required. > > > > Would still prefer a simpler IPsec-encrypted GRE tunnel solution ... :) > > > > > > On 11/26/24 19:34, Bryan Holloway via cisco-nsp wrote: > >> Use-case: > >> > >> Network with several inter-colo WAN links and decent redundancy, but > >> hey -- things break. Need to keep certain management (think VRF) > >> things working across severed portions of the network after enough > >> backhoes have had their way with us. > >> > >> Running mostly IOS-XR 6.5.3 everywhere. > >> > >> I'd like to build a couple of tunnels and run high-cost OSPF across > >> them for fail-over situations. Since OSPF generally doesn't work over > >> IPsec, I've been looking at IPsec-encrypted GRE tunnels, but I haven't > >> found any good examples (at least not using IOS-XR.) Plenty of ones > >> for IOS, but ... > >> > >> Curious if anyone in the community has made this work ... > >> > >> Or should I be looking in a different direction? > >> > >> Thank you in advance! > >> > >> - bryan > >> > >> _______________________________________________ > >> cisco-nsp mailing list [email protected] > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list [email protected] > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
