IPSec, diff betw IOS 12.4 and IOS 15.0 (IPSec applied to IP port)
I am experiencing a difference in IPSec betw IOS 12.4 and IOS 15.0, on an 891 router... if this is a bug is it a 12.4 bug or a 15.0 bug?
I have a tried & true startup-config that I have used on an 1811 router with a use-case for a narrow application of IPSec... that is, using a pre-shared key, encrypt traffic between the router and one port on one host, namely 172.23.21.243 port 6910.
That is, I'm doing network/host IPSec, not network/network or host/host. I gather network/network is a more common discussion topic in this forum, but I hope someone will be able to comment anyway.
This startup-config works fine on an 891 with IOS 12.4, but the IPSec doesn't work for me on the 891 with IOS 15.0. That is, I don't notice any errors or informative debug complaints, but, I cannot handshake with the service being served at 172.23.21.243 port 6910.
To me, this suggests
a defect in 15.0, OR,
maybe my use case depends on some licensing/right-to-use that I have not properly claimed/declared in the startup-config.
But my technical-service rep believes that Cisco does not support per-port IPSec, and so he says it's a defect in 12.4 that I've been utilizing so far with IOS 12.4. He says,
"I checked the configuration thoroughly and I assure you there was nothing wrong with the config, though from Cisco stand point we do not support port(tcp /udp) access-list in crypto acl. As you mentioned it was working in the older IOS, this must be an old defect that might have transitioned to something new in the 15.0, so I suggest you downgrade the routers to the 12.4 version"
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :