Cat 6500 IPsec support in software

Unanswered Question
Apr 13th, 2007
User Badges:

My question is: Are there limitations/nuances for configuring IPSec tunnels on Catalyst 6500s in software (without the VPN module).

I recently took over a management of a Catalyst 6500 and have run into a roadblock while trying to configure an IPSec tunnel. The tunnel comes up fine, I don't see any errors on either end, the SAs/IPs match, and the "interesting traffic ACLs" are incrementing as expected on both ends.

The problem is I can't ping across the tunnel. I thought this was a routing problem but the static route from the 6500 to the remote private server is in the routing table correctly.

All the configurations I've seen online are using the 6500 VPN Module. I can't believe that we would have to pay for a whole new card to set up 1 IPSec Tunnel. I think there has to be some nuance with the 6500 that I'm not aware of.

Thanks ahead of time.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 04/20/2007 - 00:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Please don't shoot the messenger :-) but i believe that you can only use a VPN tunnel in software to manage the switch.

If you want to create VPN tunnels for any other purpose you need an IPSEC VPN Module or an IPSEC VPN SPA.

I know, it's a pain. The FWSM has the same limititation. A standalon pix supports multiple VPN tunnels but the FWSM only supports VPN tunnels for management.


pdesch Mon, 04/23/2007 - 12:12
User Badges:


Thanks for the reply, that's what I figured. But just to clarify, you are saying that you can use a VPN tunnel to manage the switch...which is all we want to do anyway.

But what exactly does that mean? I figured it would support ICMP and SNMP across the tunnel which is all we want...but ICMP doesn't seem to be working.

Thanks ahead of time


This Discussion