IPSEC/GRE and CEF

dmitry · ‎02-19-2004

Hi,

I'm wondering if anyone is using the IPSEC/GRE tunnels with IP CEF on the router and HW crypto accelerator. I know that it has been the old problem and suppose to be fixed but every time I try an IOS version (12.2.11T - 12.2.15T) on 2600 or 7200 and it is still there: as soon as the IP CEF is enabled either tunnel stops forwarding or the physical Intf the tunnel is going through.

Thanks

ebreniz · ‎02-25-2004

As a workaround you can try to run IPSEC over tunnel mode, instead over transport mode. If it doesn't work after you change to tunnel mode, then the workaround is to disable CEF. Try removing ip inspect from the interface you are using for IPSEC.

msdonahue · ‎02-25-2004

I have IPSEC working in a 7100 with a HW accelerator and CEF enable on IOS 12.3(1)a.

dmitry · ‎02-25-2004

Thanks for the replies.

The IPSEC is in tunnel mode to have this fragmentation before encryption working. Everything would have been OK if it was not the DF bit set in the packets. Apparently in the IOS versions I've tried the crypto ipsec df-bit clear is not working, so I put a policy-map on the inbound intf. to clear the DF bit. This intf went into process switching mode despite the ip route-cache policy on it, so the last option would be to get CEF working.

I'm using the GRE with protection profiles (no crypto maps) but did not see any Cisco notes about this and the crypto ipsec df-bit clear being incompatible

Thanks