IPSEC tunnel between 2 7606 PE

Answered Question
Nov 12th, 2009
User Badges:

I am trying to create an IPSec tunnel between two 7606 PE routers.. getting this error, when i ping across, and also if I start using the path LDP drops down.


Nov 12 16:32:22.801 EST: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.10.135.1, remote= 10.10.135.2,

local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)

Nov 12 16:32:22.801 EST: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.10.135.1, remote= 10.10.135.2,

local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 190s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

Nov 12 16:32:22.801 EST: ISAKMP:(0): SA request profile is test

Nov 12 16:32:22.801 EST: ISAKMP: Created a peer struct for 10.10.135.2, peer port 500

Nov 12 16:32:22.801 EST: ISAKMP: New peer created peer = 0x5326A08C peer_handle = 0x8000001A

Nov 12 16:32:22.801 EST: ISAKMP: Locking peer struct 0x5326A08C, refcount 1 for isakmp_initiator

Nov 12 16:32:22.801 EST: ISAKMP: local port 500, remote port 500

Nov 12 16:32:22.801 EST: ISAKMP: Unable to allocate IKE SA

Nov 12 16:32:22.801 EST: ISAKMP: Unlocking peer struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0

Nov 12 16:32:22.801 EST: ISAKMP: Deleting peer node by peer_reap for 10.10.135.2: 5326A08C

Nov 12 16:32:22.801 EST: ISAKMP:(0):purging SA., sa=0, delme=532E8364

PE2#

Nov 12 16:32:22.801 EST: ISAKMP: Error while processing SA request: Failed to initialize SA

Nov 12 16:32:22.801 EST: ISAKMP: Error while processing KMI message 0, error 2.

Nov 12 16:32:22.801 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s)

PE2#

Nov 12 16:32:52.801 EST: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 10.10.135.1, remote= 10.10.135.2,

local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)



Attachment: 
Correct Answer by Herbert Baerten about 7 years 7 months ago

IPsec is not supported on the 6500 and 7600 series without an IPsec module (VPNSM or IPsec-SPA), sorry.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Herbert Baerten Thu, 11/12/2009 - 23:40
User Badges:
  • Cisco Employee,

IPsec is not supported on the 6500 and 7600 series without an IPsec module (VPNSM or IPsec-SPA), sorry.

Atif Siddiqui Fri, 11/13/2009 - 03:16
User Badges:

I see. what about on GSR with SIP-601 any Gige SPA will support or it? or need IPSEC SPA as well?


Thanks,

Herbert Baerten Sun, 11/15/2009 - 02:22
User Badges:
  • Cisco Employee,

To be honest I don't know (I never work with GSR) but I found this in a security advisory:


"GSR (c12000) and CRS-1 routers running IOS-XR software support software-based IPSec for locally sourced and terminated traffic only (used mostly for routing protocols)."


src:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html


I suppose this answers the question...

Herbert

Actions

This Discussion