Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC w/ 2 FCIP tunnels using a single gigE port

A gig1/1 interface on a 9216i is servicing 2 FCIP tunnels (port 3225 & 3737) from 2 other 9216i switches. The FCIP ISL connecting to port 3225 has IPSEC configured and is working (trunking). The FCIP ISL connecting to port 3737 was trunking prior to configuring IPSEC for it, but now with IPSEC configured it is now broken. Looking through the IPSEC trouble shooting section, I'm not seeing any conflicting IPSEC/IKE parameters.

Is it possible to have IPSEC services working for 2 FCIP ISLs connecting to a single gig port? If so, I'm at a loss on how to properly configure it.

Thanks, Craig

5 REPLIES
Cisco Employee

Re: IPSEC w/ 2 FCIP tunnels using a single gigE port

Since you can only have one crypto map domain per physical interface, you will need to have the access-list for both remote FCIP endpoints in the ACL. With that one IPSEC crypto map, all FCIP tunnels terminating on that interface will IPSEC enabled. And so, in your case, all 3 switches need to be IPSEC enabled with the same keys and correct ACL's

New Member

Re: IPSEC w/ 2 FCIP tunnels using a single gigE port

Understand and that is the case there is only one crypto map assigned with the appropriate ACL, but still the connecution using port 3737 will not establish a connection. Here cmap definintion.

Crypto Map "cmap30" 10 ipsec

Peer = 211.175.105.69

IP ACL = acl30

permit ip 87.61.121.2 255.255.255.255 211.175.105.69 255.255.255.255

permit ip 87.16.121.2 255.255.255.255 211.175.105.85 255.255.255.255

Transform-sets: tfs30,

Security Association Lifetime: 450 gigabytes*/3600 seconds*

(* global configuration value)

PFS (Y/N): Y

PFS Group: group5

Crypto Map "cmap30" 20 ipsec

Peer = 211175.105.85

IP ACL = acl30

permit ip 87.61.121.2 255.255.255.255 211.175.105.69 255.255.255.255

permit ip 87.16.121.2 255.255.255.255 211.175.105.85 255.255.255.255

Transform-sets: tfs30,

Security Association Lifetime: 450 gigabytes*/3600 seconds*

(* global configuration value)

PFS (Y/N): Y

PFS Group: group5

Interface using crypto map set cmap30:

GigabitEthernet1/1

Cisco Employee

Re: IPSEC w/ 2 FCIP tunnels using a single gigE port

Yes, I was able to get this up. So, from here, it might be best to create a TAC case or with the OSM support and upload all 3 show tech details. Or you can upload all 3 here to the NetPro.

New Member

Re: IPSEC w/ 2 FCIP tunnels using a single gigE port

Okay, I'll open a TAC case.

We might just decide to use the unused gig1/2 interface too. Just trying to save $ on fibre run since the switch is located at a co-hosted site.

Thanks, Craig

New Member

Re: IPSEC w/ 2 FCIP tunnels using a single gigE port

Its my understanding that one must use sub-interfaces on a shared GE interface for IPSEC to work correctly. A different crypto map will get assigned to each sub-interface. Also, ethernet trunking must be enabled too.

This solution has not been attempted yet.

253
Views
0
Helpful
5
Replies
CreatePlease to create content