11-12-2009 01:46 PM - edited 02-21-2020 04:23 PM
I am trying to create an IPSec tunnel between two 7606 PE routers.. getting this error, when i ping across, and also if I start using the path LDP drops down.
Nov 12 16:32:22.801 EST: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.10.135.1, remote= 10.10.135.2,
local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)
Nov 12 16:32:22.801 EST: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.10.135.1, remote= 10.10.135.2,
local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 190s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Nov 12 16:32:22.801 EST: ISAKMP:(0): SA request profile is test
Nov 12 16:32:22.801 EST: ISAKMP: Created a peer struct for 10.10.135.2, peer port 500
Nov 12 16:32:22.801 EST: ISAKMP: New peer created peer = 0x5326A08C peer_handle = 0x8000001A
Nov 12 16:32:22.801 EST: ISAKMP: Locking peer struct 0x5326A08C, refcount 1 for isakmp_initiator
Nov 12 16:32:22.801 EST: ISAKMP: local port 500, remote port 500
Nov 12 16:32:22.801 EST: ISAKMP: Unable to allocate IKE SA
Nov 12 16:32:22.801 EST: ISAKMP: Unlocking peer struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0
Nov 12 16:32:22.801 EST: ISAKMP: Deleting peer node by peer_reap for 10.10.135.2: 5326A08C
Nov 12 16:32:22.801 EST: ISAKMP:(0):purging SA., sa=0, delme=532E8364
PE2#
Nov 12 16:32:22.801 EST: ISAKMP: Error while processing SA request: Failed to initialize SA
Nov 12 16:32:22.801 EST: ISAKMP: Error while processing KMI message 0, error 2.
Nov 12 16:32:22.801 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s)
PE2#
Nov 12 16:32:52.801 EST: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.10.135.1, remote= 10.10.135.2,
local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)
Solved! Go to Solution.
11-12-2009 11:40 PM
IPsec is not supported on the 6500 and 7600 series without an IPsec module (VPNSM or IPsec-SPA), sorry.
11-12-2009 11:40 PM
IPsec is not supported on the 6500 and 7600 series without an IPsec module (VPNSM or IPsec-SPA), sorry.
11-13-2009 03:16 AM
I see. what about on GSR with SIP-601 any Gige SPA will support or it? or need IPSEC SPA as well?
Thanks,
11-15-2009 02:22 AM
To be honest I don't know (I never work with GSR) but I found this in a security advisory:
"GSR (c12000) and CRS-1 routers running IOS-XR software support software-based IPSec for locally sourced and terminated traffic only (used mostly for routing protocols)."
src:
http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html
I suppose this answers the question...
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide