-----Original Message-----
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev
Sent: March-09-10 7:36 AM
To: Phil Mayers
Cc: cisco-nsp
Subject: Re: [c-nsp] IPSec crypto map on MPLS enabled interface?
On Tue, 2010-03-09 at 10:49 +0000, Phil Mayers wrote:
> > I the tried changing the ISAKMP profile VRF, et voila, it worked.
:-)
> >
> > I have reloaded the box to make sure it's not just good luck that it
> > works now. It seems to work fine after a reload, with MPLS on the
core
> > facing interfaces.
>
>> Interesting. Are the packets arriving at the box labelled?
>Yes, though just with the VPN label because of penultimate hop popping.
>And the encrypted traffic leaves the box tagged too.
Saw the same thing on a 7600 w/ vpn module. Due to penultimate hop
popping the packets were unlabled and because isis & mpls were
configured on the tunnel interface traffic wouldn't egress properly
without explicit null on the decapsulating node. Also found this
configuration works with SRE code.
Tim
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
