IPSec tunnel not work

Answered Question
Nov 6th, 2008

i have 2 Cat6, one with IPsec SPA card, while the other doesn't have.

I tried setting IPsec tunnel between them, but somehow cannot bring up the tunnel, can someone help me to look at the configure?

A(with SPA):

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set testT1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile P1

set transform-set testT1

!

crypto call admission limit ike sa 3000

!

crypto call admission limit ike in-negotiation-sa 115

!

interface Tunnel962

ip unnumbered Loopback962

tunnel source GigabitEthernet2/37.962

tunnel destination 172.16.16.6

tunnel mode ipsec ipv4

tunnel protection ipsec profile P1

interface GigabitEthernet2/37.962

encapsulation dot1Q 962

ip address 172.16.16.5 255.255.255.252

interface Loopback962

ip address 1.1.4.200 255.255.255.255

ip route 2.2.4.200 255.255.255.255 Tunnel962

B(wuthout SPA):

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set T1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile P1

set transform-set T1

interface Tunnel200

ip unnumbered Loopback200

tunnel source GigabitEthernet2/1.1

tunnel destination 172.16.16.5

tunnel mode ipsec ipv4

tunnel protection ipsec profile T1

interface Loopback200

ip address 2.2.4.200 255.255.255.255

interface GigabitEthernet2/1.1

encapsulation dot1Q 962

ip address 172.16.16.6 255.255.255.252

ip route 1.1.4.200 255.255.255.255 Tunnel200

I can ping from 172.16.16.6 to 172.16.16.5, but tunnel just cannot up. when I turned on "debug cry ipsec" and "debug cry isa" nothing come out, when I trun on "debug cry enginee", I got:

"00:25:17: crypto_engine_select_crypto_engine: can't handle any more"

Correct Answer by ajagadee about 8 years 3 months ago

Hi,

You need an IPSEC SPA Card on Chassis B to do IPSEC Encryption. Please refer the below URL for details.

Without a SPA-IPSEC-2G or IPsec VPN Acceleration Services Module, the IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_4164.html

Regards,

Arul

*Pls rate if it helps*

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
ajagadee Thu, 11/06/2008 - 04:51

Hi,

You need an IPSEC SPA Card on Chassis B to do IPSEC Encryption. Please refer the below URL for details.

Without a SPA-IPSEC-2G or IPsec VPN Acceleration Services Module, the IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_4164.html

Regards,

Arul

*Pls rate if it helps*

Actions

This Discussion