Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cat 6500 IPsec support in software

My question is: Are there limitations/nuances for configuring IPSec tunnels on Catalyst 6500s in software (without the VPN module).

I recently took over a management of a Catalyst 6500 and have run into a roadblock while trying to configure an IPSec tunnel. The tunnel comes up fine, I don't see any errors on either end, the SAs/IPs match, and the "interesting traffic ACLs" are incrementing as expected on both ends.

The problem is I can't ping across the tunnel. I thought this was a routing problem but the static route from the 6500 to the remote private server is in the routing table correctly.

All the configurations I've seen online are using the 6500 VPN Module. I can't believe that we would have to pay for a whole new card to set up 1 IPSec Tunnel. I think there has to be some nuance with the 6500 that I'm not aware of.

Thanks ahead of time.


Re: Cat 6500 IPsec support in software

When you configure the IPSec VPN SPA on the Catalyst 6500 series switch, you ensure that all packets coming from or going to the Internet pass through the IPSec VPN SPA.Refer URL

Hall of Fame Super Blue

Re: Cat 6500 IPsec support in software


Please don't shoot the messenger :-) but i believe that you can only use a VPN tunnel in software to manage the switch.

If you want to create VPN tunnels for any other purpose you need an IPSEC VPN Module or an IPSEC VPN SPA.

I know, it's a pain. The FWSM has the same limititation. A standalon pix supports multiple VPN tunnels but the FWSM only supports VPN tunnels for management.


New Member

Re: Cat 6500 IPsec support in software


Thanks for the reply, that's what I figured. But just to clarify, you are saying that you can use a VPN tunnel to manage the switch...which is all we want to do anyway.

But what exactly does that mean? I figured it would support ICMP and SNMP across the tunnel which is all we want...but ICMP doesn't seem to be working.

Thanks ahead of time

CreatePlease login to create content