Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Where there will be stable IPSec stack in Cisco IOS?

I'm very sorry to say that I have very bad expertise with Cisco IOS support of IPSec. I have a customer running more than 250 Cisco routers with IPSec tunnels connected in some cases each to other. I have more than 1 year something like a CAP case, and for that time, we solve more than 6 very bad issues with Cisco IPSec, and we understand that there is no "situations that do not work" but one "situation that work", everything else is full of bugs.

In my customer we still have only 6 IPSec tunnels running (design was for more than 300 ted tunnels). I do not see any progress in IOS IPSec stability. I see that in new IOSes there was new IPSec features, but anyway, I can not get to them, because IKE negotiation is broken :)

The same thing is for Easy VPN support in IOS. Also there are problems in stability in simple IPSec peer-to-peer tunnels (without using GRE), if you have more than 6 tunnels, it will be very funny for you to see that is happen with IKE keepalives for the latest tunnels (IPSec tunnels are established, but IKE sessions are dropped). This is very bad security issue, no matter that IPSec tunnels works. If anybody don't think so, I can explain in details what is happen.

There are also IKE DoS problems in EVERY cisco ipsec running router. We have a case to proove it.

Also I have a notes about IPSec authentication implementation with certificates. It is very easy for everybody with physical access to the device to make a copy of the certificate and to authenticate with it from different BOX. There are few other security implementation issues, but I do not comment them. I simply ask where there will be available some stable IPSec implementation?

New Member

Re: Where there will be stable IPSec stack in Cisco IOS?

I am not positive of what version IOS you are running, but there are new versions of IOS out on Cisco's website whenever there are new features or problems that have been fixed. It would be best that you either get with TAC to see if there is a known issue or you get with your local sales representative to see if he has the answer you seek.

New Member

Re: Where there will be stable IPSec stack in Cisco IOS?

If someone can get physical access to your router, I think you have more to worry about ath them copying the certificate :)