11-06-2008 01:03 AM - edited 02-21-2020 04:01 PM
i have 2 Cat6, one with IPsec SPA card, while the other doesn't have.
I tried setting IPsec tunnel between them, but somehow cannot bring up the tunnel, can someone help me to look at the configure?
A(with SPA):
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec transform-set testT1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile P1
set transform-set testT1
!
crypto call admission limit ike sa 3000
!
crypto call admission limit ike in-negotiation-sa 115
!
interface Tunnel962
ip unnumbered Loopback962
tunnel source GigabitEthernet2/37.962
tunnel destination 172.16.16.6
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
interface GigabitEthernet2/37.962
encapsulation dot1Q 962
ip address 172.16.16.5 255.255.255.252
interface Loopback962
ip address 1.1.4.200 255.255.255.255
ip route 2.2.4.200 255.255.255.255 Tunnel962
B(wuthout SPA):
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
interface Tunnel200
ip unnumbered Loopback200
tunnel source GigabitEthernet2/1.1
tunnel destination 172.16.16.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile T1
interface Loopback200
ip address 2.2.4.200 255.255.255.255
interface GigabitEthernet2/1.1
encapsulation dot1Q 962
ip address 172.16.16.6 255.255.255.252
ip route 1.1.4.200 255.255.255.255 Tunnel200
I can ping from 172.16.16.6 to 172.16.16.5, but tunnel just cannot up. when I turned on "debug cry ipsec" and "debug cry isa" nothing come out, when I trun on "debug cry enginee", I got:
"00:25:17: crypto_engine_select_crypto_engine: can't handle any more"
Solved! Go to Solution.
11-06-2008 04:51 AM
Hi,
You need an IPSEC SPA Card on Chassis B to do IPSEC Encryption. Please refer the below URL for details.
Without a SPA-IPSEC-2G or IPsec VPN Acceleration Services Module, the IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.
Regards,
Arul
*Pls rate if it helps*
11-06-2008 04:51 AM
Hi,
You need an IPSEC SPA Card on Chassis B to do IPSEC Encryption. Please refer the below URL for details.
Without a SPA-IPSEC-2G or IPsec VPN Acceleration Services Module, the IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.
Regards,
Arul
*Pls rate if it helps*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide