04-13-2007 01:43 PM - edited 02-21-2020 02:58 PM
My question is: Are there limitations/nuances for configuring IPSec tunnels on Catalyst 6500s in software (without the VPN module).
I recently took over a management of a Catalyst 6500 and have run into a roadblock while trying to configure an IPSec tunnel. The tunnel comes up fine, I don't see any errors on either end, the SAs/IPs match, and the "interesting traffic ACLs" are incrementing as expected on both ends.
The problem is I can't ping across the tunnel. I thought this was a routing problem but the static route from the 6500 to the remote private server is in the routing table correctly.
All the configurations I've seen online are using the 6500 VPN Module. I can't believe that we would have to pay for a whole new card to set up 1 IPSec Tunnel. I think there has to be some nuance with the 6500 that I'm not aware of.
Thanks ahead of time.
04-19-2007 11:15 AM
When you configure the IPSec VPN SPA on the Catalyst 6500 series switch, you ensure that all packets coming from or going to the Internet pass through the IPSec VPN SPA.Refer URL
04-20-2007 12:35 AM
Hi
Please don't shoot the messenger :-) but i believe that you can only use a VPN tunnel in software to manage the switch.
If you want to create VPN tunnels for any other purpose you need an IPSEC VPN Module or an IPSEC VPN SPA.
I know, it's a pain. The FWSM has the same limititation. A standalon pix supports multiple VPN tunnels but the FWSM only supports VPN tunnels for management.
Jon
04-23-2007 12:12 PM
Jon,
Thanks for the reply, that's what I figured. But just to clarify, you are saying that you can use a VPN tunnel to manage the switch...which is all we want to do anyway.
But what exactly does that mean? I figured it would support ICMP and SNMP across the tunnel which is all we want...but ICMP doesn't seem to be working.
Thanks ahead of time
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: