Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC/GRE and CEF

Hi,

I'm wondering if anyone is using the IPSEC/GRE tunnels with IP CEF on the router and HW crypto accelerator. I know that it has been the old problem and suppose to be fixed but every time I try an IOS version (12.2.11T - 12.2.15T) on 2600 or 7200 and it is still there: as soon as the IP CEF is enabled either tunnel stops forwarding or the physical Intf the tunnel is going through.

Thanks

3 REPLIES
Silver

Re: IPSEC/GRE and CEF

As a workaround you can try to run IPSEC over tunnel mode, instead over transport mode. If it doesn't work after you change to tunnel mode, then the workaround is to disable CEF. Try removing ip inspect from the interface you are using for IPSEC.

New Member

Re: IPSEC/GRE and CEF

I have IPSEC working in a 7100 with a HW accelerator and CEF enable on IOS 12.3(1)a.

New Member

Re: IPSEC/GRE and CEF

Thanks for the replies.

The IPSEC is in tunnel mode to have this fragmentation before encryption working. Everything would have been OK if it was not the DF bit set in the packets. Apparently in the IOS versions I've tried the crypto ipsec df-bit clear is not working, so I put a policy-map on the inbound intf. to clear the DF bit. This intf went into process switching mode despite the ip route-cache policy on it, so the last option would be to get CEF working.

I'm using the GRE with protection profiles (no crypto maps) but did not see any Cisco notes about this and the crypto ipsec df-bit clear being incompatible

Thanks

253
Views
0
Helpful
3
Replies
CreatePlease login to create content