02-19-2004 04:00 PM - edited 03-02-2019 01:43 PM
Hi,
I'm wondering if anyone is using the IPSEC/GRE tunnels with IP CEF on the router and HW crypto accelerator. I know that it has been the old problem and suppose to be fixed but every time I try an IOS version (12.2.11T - 12.2.15T) on 2600 or 7200 and it is still there: as soon as the IP CEF is enabled either tunnel stops forwarding or the physical Intf the tunnel is going through.
Thanks
02-25-2004 12:57 PM
As a workaround you can try to run IPSEC over tunnel mode, instead over transport mode. If it doesn't work after you change to tunnel mode, then the workaround is to disable CEF. Try removing ip inspect from the interface you are using for IPSEC.
02-25-2004 01:15 PM
I have IPSEC working in a 7100 with a HW accelerator and CEF enable on IOS 12.3(1)a.
02-25-2004 09:31 PM
Thanks for the replies.
The IPSEC is in tunnel mode to have this fragmentation before encryption working. Everything would have been OK if it was not the DF bit set in the packets. Apparently in the IOS versions I've tried the crypto ipsec df-bit clear is not working, so I put a policy-map on the inbound intf. to clear the DF bit. This intf went into process switching mode despite the ip route-cache policy on it, so the last option would be to get CEF working.
I'm using the GRE with protection profiles (no crypto maps) but did not see any Cisco notes about this and the crypto ipsec df-bit clear being incompatible
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide