Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IOS12.2(33)SXI12 on Cat6500/Sup720/MSFC3 falsely claims HW does not support AH+ESP


Having a Cat6500-E with SUP720/MSFC3 and a 7600-SSC-400 with two SPA-IPSEC-2G crypto cards.

The old IOS (12.2(18)SXF8, old but stable) was working for years with crypto transform set of AH and ESP

     crypto ipsec transform-set myts ah-sha-hmac esp-aes 256

perfectly well with HW acceleration (tested thouroughly, over several years).

(Note that 15.2 does not support the SSC and SPA at all.)

The Safe Harbor IOS12.2(33)SXI12 claims (and refuses to accept) the combination of AH with ESP is not supported by the Hardware:

router(config)#crypto ipsec transform-set myts ah-sha-hmac esp-aes 256

Any combination of ESP and AH transform-set is not

supported by current hardware crypto engine.

The transform-set configuration will not be saved.

Please configure a valid transform-set.

which is false since the same hardware was doing just that for years.

This is a bit of a problem since AH with HMAC is the only way to detect tampering of the IPSEC packets transport headers!

Using ESP with HMAC (transform set ... esp-aes 256 esp-sha-hmac) is not a sufficient alternative because the HMAC only protects the payload (content of the EPS packet) - not the transport packet.

The crypto engine hardware does support AH+ESP, as proven with the old IOS and >1 GBps IPSEC throughput for real-life traffic.

Everyone's tags (3)
Hall of Fame Super Silver

IOS12.2(33)SXI12 on Cat6500/Sup720/MSFC3 falsely claims HW does

If it did work on one version of software and does not work on this version of software then it is pretty clear proof that it is not really a limitation of the hardware. It sounds like that in the development process for this software that someone made a decision that they would not support the combination of ESP and AH. The best way to resolve this would be through a case with Cisco TAC. Failing that is there another version of software you could run that does support the combination?



CreatePlease to create content