Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1381
Views
10
Helpful
1
Replies

IPSec tunnel not work

Go to solution
shibindong
Level 1
Level 1

‎11-06-2008 01:03 AM - edited ‎02-21-2020 04:01 PM

i have 2 Cat6, one with IPsec SPA card, while the other doesn't have.

I tried setting IPsec tunnel between them, but somehow cannot bring up the tunnel, can someone help me to look at the configure?

A(with SPA):

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set testT1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile P1

set transform-set testT1

!

crypto call admission limit ike sa 3000

!

crypto call admission limit ike in-negotiation-sa 115

!

interface Tunnel962

ip unnumbered Loopback962

tunnel source GigabitEthernet2/37.962

tunnel destination 172.16.16.6

tunnel mode ipsec ipv4

tunnel protection ipsec profile P1

interface GigabitEthernet2/37.962

encapsulation dot1Q 962

ip address 172.16.16.5 255.255.255.252

interface Loopback962

ip address 1.1.4.200 255.255.255.255

ip route 2.2.4.200 255.255.255.255 Tunnel962

B(wuthout SPA):

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set T1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile P1

set transform-set T1

interface Tunnel200

ip unnumbered Loopback200

tunnel source GigabitEthernet2/1.1

tunnel destination 172.16.16.5

tunnel mode ipsec ipv4

tunnel protection ipsec profile T1

interface Loopback200

ip address 2.2.4.200 255.255.255.255

interface GigabitEthernet2/1.1

encapsulation dot1Q 962

ip address 172.16.16.6 255.255.255.252

ip route 1.1.4.200 255.255.255.255 Tunnel200

I can ping from 172.16.16.6 to 172.16.16.5, but tunnel just cannot up. when I turned on "debug cry ipsec" and "debug cry isa" nothing come out, when I trun on "debug cry enginee", I got:

"00:25:17: crypto_engine_select_crypto_engine: can't handle any more"

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎11-06-2008 04:51 AM

Hi,

You need an IPSEC SPA Card on Chassis B to do IPSEC Encryption. Please refer the below URL for details.

Without a SPA-IPSEC-2G or IPsec VPN Acceleration Services Module, the IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_4164.html

Regards,

Arul

*Pls rate if it helps*

View solution in original post

1 Reply 1

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎11-06-2008 04:51 AM

Hi,

You need an IPSEC SPA Card on Chassis B to do IPSEC Encryption. Please refer the below URL for details.

Without a SPA-IPSEC-2G or IPsec VPN Acceleration Services Module, the IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_4164.html

Regards,

Arul

*Pls rate if it helps*

Customers Also Viewed These Support Documents