Help with IPSEC? Can you apply crypto map to SVI?

Unanswered Question
Jun 17th, 2009

Hi All,

Got a problem with a site-to-site IPSEC vpn implementation where one end is using SVI (eg: interface vlan 10).

Does any body know if a crypto map can be applied to a SVI to bring up the IPSEC tunnel? It accepts the command but I can't pass any traffic to/from it.

interface vlan 10

crypto map MY-MAP

Or do you need to apply the crypto map to a physical interface?

I've gotten it working on a sub-interface (eg: interface GigabitEthernet0/0.11) but can't find any documentation that talks about applying it to a SVI and whether this will work. Anybody tried it using SVI's before?

This is to be done on a Cisco 7606 (sup720).

Thanks.

Andy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jerry Ye Thu, 06/18/2009 - 05:10

Hi Andy,

Crypto connect will work on SVI, I've done it before, with SCC-400 and VPN-SM. Is that what you are using?

HTH,

jerry

asaykao73 Thu, 06/18/2009 - 15:32

Hi Jerry,

I'm not that cluey with all the hardware on the box itself, but here's what we have on the box.

core1#sh ver

Cisco Internetwork Operating System Software

IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)

cisco CISCO7606 (R7000) processor (revision 1.0) with 983008K/65536K bytes of memory.

Processor board ID FOX092502NB

SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache

Last reset from power-on

SuperLAT software (copyright 1990 by Meridian Technology Corp).

X.25 software, Version 3.0.0.

Bridging software.

TN3270 Emulation software.

228 Virtual Ethernet/IEEE 802.3 interfaces

124 Gigabit Ethernet/IEEE 802.3 interfaces

4 Ten Gigabit Ethernet/IEEE 802.3 interfaces

1917K bytes of non-volatile configuration memory.

8192K bytes of packet buffer memory.

65536K bytes of Flash internal SIMM (Sector size 512K).

Configuration register is 0x2102

core1#sh mod

Mod Ports Card Type Model

--- ----- -------------------------------------- ------------------

1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX

2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX

3 24 CEF720 24 port 1000mb SFP WS-X6724-SFP

4 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE

5 2 Supervisor Engine 720 (Active) WS-SUP720-3B

6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B

Mod Sub-Module Model Hw Status

---- --------------------------- ------------------ ------- -------

1 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok

2 Centralized Forwarding Card WS-F6700-CFC 2.1 Ok

3 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok

4 Centralized Forwarding Card WS-F6700-CFC 4.1 Ok

5 Policy Feature Card 3 WS-F6K-PFC3B 2.1 Ok

5 MSFC3 Daughterboard WS-SUP720 2.3 Ok

6 Policy Feature Card 3 WS-F6K-PFC3B 2.3 Ok

6 MSFC3 Daughterboard WS-SUP720 3.0 Ok

Based on the specs above, is this box capable of establishing a IPSEC tunnel by applying the crypto map to the SVI???

Thanks.

Andy

asaykao73 Thu, 06/18/2009 - 15:40

ok a bit of digging around, and the answer is "no" we're not using the scc-400 (Cisco Services SPA Carrier-400) on this box.

http://www.cisco.com/en/US/products/ps6917/index.html

Does this mean that you can not establish an IPSEC tunnel by applying the cryto map to the SVI. I can apply the command but not sure if this is all that is needed to be done to get it working or if we need the SCC-400???

Cheers.

Andy

Jerry Ye Thu, 06/18/2009 - 18:53

Hi Andy,

It is not supported to use IPSec without any hardware encryption module in the 6500. The reason is it requires lot of CPU cycles for encryption and it will degraded the switch's performance without the service module(HW encryption).

I am quoting this from the release note:

Without a SPA-IPSEC-2G or IPsec VPN Acceleration Services Module, the IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_4164.html#wp2782875

Also noticed that you are using IP Service but crypto ipsec is only available in Advanced IP Services feature set.

HTH,

jerry

asaykao73 Thu, 06/18/2009 - 19:02

Hi Jerry,

I've been able to get it working on a SVI without the SCC-400 module and understand that this will all take place in software. We'll be sure to keep an eye on the cpu to see how it handles this.

We are only creating a single ipsec vpn tunnel for some secure transactions and will be pulling data about once a month from it.

Not too sure what you meant by the use of "crypto ipsec" only being available with the Adv IP Services feature set. I've been able to get some form of ipsec working on the IP Services feature set and can see packets being encapsulated and decapsulated when I do a "show crypto ipsec sa" - am I missing something here???

My config is pretty simple.

crypto isakmp policy 1

authentication pre-share

crypto isakmp key XXXXX address 202.134.236.x

!

!

crypto ipsec transform-set STRONG esp-aes esp-sha-hmac

!

crypto map E-BILLING 1 ipsec-isakmp

set peer 202.134.236.x

set transform-set STRONG

match address 102

!

interface Loopback2

description Test loopback for IPSec VPN

ip address 192.168.198.1 255.255.255.0

!

interface Vlan904

description E-BILLING GATEWAY

ip address 202.45.118.x 255.255.255.252

ip flow ingress

crypto map E-BILLING

!

ip route 192.168.199.0 255.255.255.0 Vlan904

!

access-list 102 permit ip 192.168.198.0 0.0.0.255 192.168.199.0 0.0.0.255

Thanks.

Andy

Jerry Ye Thu, 06/18/2009 - 19:15

Hi Andy,

I am quoting the feature set information from the release note. I believe that applies to both SCC-400 and VPN-SM.

Just checked your configuration and I don't see any issue. But like I said from the previous post, applying crypto without HW encryption module is not support on the 6500, which really means if you call Cisco TAC for any issue, they will ask you to take that off for any further troubleshooting.

HTH,

jerry

Actions

This Discussion