Got a problem with a site-to-site IPSEC vpn implementation where one end is using SVI (eg: interface vlan 10).
Does any body know if a crypto map can be applied to a SVI to bring up the IPSEC tunnel? It accepts the command but I can't pass any traffic to/from it.
interface vlan 10
crypto map MY-MAP
Or do you need to apply the crypto map to a physical interface?
I've gotten it working on a sub-interface (eg: interface GigabitEthernet0/0.11) but can't find any documentation that talks about applying it to a SVI and whether this will work. Anybody tried it using SVI's before?
This is to be done on a Cisco 7606 (sup720).
Crypto connect will work on SVI, I've done it before, with SCC-400 and VPN-SM. Is that what you are using?
I'm not that cluey with all the hardware on the box itself, but here's what we have on the box.
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)
cisco CISCO7606 (R7000) processor (revision 1.0) with 983008K/65536K bytes of memory.
Processor board ID FOX092502NB
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from power-on
SuperLAT software (copyright 1990 by Meridian Technology Corp).
X.25 software, Version 3.0.0.
TN3270 Emulation software.
228 Virtual Ethernet/IEEE 802.3 interfaces
124 Gigabit Ethernet/IEEE 802.3 interfaces
4 Ten Gigabit Ethernet/IEEE 802.3 interfaces
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
Mod Ports Card Type Model
--- ----- -------------------------------------- ------------------
1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
3 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
4 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B
6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
Mod Sub-Module Model Hw Status
---- --------------------------- ------------------ ------- -------
1 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
2 Centralized Forwarding Card WS-F6700-CFC 2.1 Ok
3 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
4 Centralized Forwarding Card WS-F6700-CFC 4.1 Ok
5 Policy Feature Card 3 WS-F6K-PFC3B 2.1 Ok
5 MSFC3 Daughterboard WS-SUP720 2.3 Ok
6 Policy Feature Card 3 WS-F6K-PFC3B 2.3 Ok
6 MSFC3 Daughterboard WS-SUP720 3.0 Ok
Based on the specs above, is this box capable of establishing a IPSEC tunnel by applying the crypto map to the SVI???
ok a bit of digging around, and the answer is "no" we're not using the scc-400 (Cisco Services SPA Carrier-400) on this box.
Does this mean that you can not establish an IPSEC tunnel by applying the cryto map to the SVI. I can apply the command but not sure if this is all that is needed to be done to get it working or if we need the SCC-400???
It is not supported to use IPSec without any hardware encryption module in the 6500. The reason is it requires lot of CPU cycles for encryption and it will degraded the switch's performance without the service module(HW encryption).
I am quoting this from the release note:
Without a SPA-IPSEC-2G or IPsec VPN Acceleration Services Module, the IPsec Network Security feature (configured with the crypto ipsec command) is supported in software only for administrative connections to Catalyst 6500 series switches and Cisco 7600 series routers.
Also noticed that you are using IP Service but crypto ipsec is only available in Advanced IP Services feature set.
I've been able to get it working on a SVI without the SCC-400 module and understand that this will all take place in software. We'll be sure to keep an eye on the cpu to see how it handles this.
We are only creating a single ipsec vpn tunnel for some secure transactions and will be pulling data about once a month from it.
Not too sure what you meant by the use of "crypto ipsec" only being available with the Adv IP Services feature set. I've been able to get some form of ipsec working on the IP Services feature set and can see packets being encapsulated and decapsulated when I do a "show crypto ipsec sa" - am I missing something here???
My config is pretty simple.
crypto isakmp policy 1
crypto isakmp key XXXXX address 202.134.236.x
crypto ipsec transform-set STRONG esp-aes esp-sha-hmac
crypto map E-BILLING 1 ipsec-isakmp
set peer 202.134.236.x
set transform-set STRONG
match address 102
description Test loopback for IPSec VPN
ip address 192.168.198.1 255.255.255.0
description E-BILLING GATEWAY
ip address 202.45.118.x 255.255.255.252
ip flow ingress
crypto map E-BILLING
ip route 192.168.199.0 255.255.255.0 Vlan904
access-list 102 permit ip 192.168.198.0 0.0.0.255 192.168.199.0 0.0.0.255
I am quoting the feature set information from the release note. I believe that applies to both SCC-400 and VPN-SM.
Just checked your configuration and I don't see any issue. But like I said from the previous post, applying crypto without HW encryption module is not support on the 6500, which really means if you call Cisco TAC for any issue, they will ask you to take that off for any further troubleshooting.