Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1117
Views
0
Helpful
3
Replies

IPSEC tunnel between 2 7606 PE

Go to solution
Atif Siddiqui
Level 1
Level 1

‎11-12-2009 01:46 PM - edited ‎02-21-2020 04:23 PM

I am trying to create an IPSec tunnel between two 7606 PE routers.. getting this error, when i ping across, and also if I start using the path LDP drops down.

Nov 12 16:32:22.801 EST: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.10.135.1, remote= 10.10.135.2,

local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)

Nov 12 16:32:22.801 EST: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.10.135.1, remote= 10.10.135.2,

local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 190s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

Nov 12 16:32:22.801 EST: ISAKMP:(0): SA request profile is test

Nov 12 16:32:22.801 EST: ISAKMP: Created a peer struct for 10.10.135.2, peer port 500

Nov 12 16:32:22.801 EST: ISAKMP: New peer created peer = 0x5326A08C peer_handle = 0x8000001A

Nov 12 16:32:22.801 EST: ISAKMP: Locking peer struct 0x5326A08C, refcount 1 for isakmp_initiator

Nov 12 16:32:22.801 EST: ISAKMP: local port 500, remote port 500

Nov 12 16:32:22.801 EST: ISAKMP: Unable to allocate IKE SA

Nov 12 16:32:22.801 EST: ISAKMP: Unlocking peer struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0

Nov 12 16:32:22.801 EST: ISAKMP: Deleting peer node by peer_reap for 10.10.135.2: 5326A08C

Nov 12 16:32:22.801 EST: ISAKMP:(0):purging SA., sa=0, delme=532E8364

PE2#

Nov 12 16:32:22.801 EST: ISAKMP: Error while processing SA request: Failed to initialize SA

Nov 12 16:32:22.801 EST: ISAKMP: Error while processing KMI message 0, error 2.

Nov 12 16:32:22.801 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s)

PE2#

Nov 12 16:32:52.801 EST: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 10.10.135.1, remote= 10.10.135.2,

local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)

Labels:
Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎11-12-2009 11:40 PM

IPsec is not supported on the 6500 and 7600 series without an IPsec module (VPNSM or IPsec-SPA), sorry.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎11-12-2009 11:40 PM

IPsec is not supported on the 6500 and 7600 series without an IPsec module (VPNSM or IPsec-SPA), sorry.

0 Helpful

Go to solution
Atif Siddiqui
Level 1
Level 1
In response to Herbert Baerten

‎11-13-2009 03:16 AM

I see. what about on GSR with SIP-601 any Gige SPA will support or it? or need IPSEC SPA as well?

Thanks,

0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to Atif Siddiqui

‎11-15-2009 02:22 AM

To be honest I don't know (I never work with GSR) but I found this in a security advisory:

"GSR (c12000) and CRS-1 routers running IOS-XR software support software-based IPSec for locally sourced and terminated traffic only (used mostly for routing protocols)."

src:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html

I suppose this answers the question...

Herbert

0 Helpful
Customers Also Viewed These Support Documents