Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

12.0-14 to 12.3-16 ipsec compatibility issue ?

Hello,

Does anybody have an idea how to interconnect through ipsec to routers, one 1605R with ios c1600-sy56i-mz.120-14.bin (4MB Flash/16 MB RAM) and one 3745 with ios c3745-adventerprisek9-mz.123-16.bin 32 MB Flash/256 RAM)? As far as I know, there is an incompatibility between the old versions of ipsec and the new ones. Is there any ios that can replace my old 12.0-14 on the 1605R (with my hardware configuration) and it is also compatibil with the 12.3-16 on the 3745?

Thank you in advance.

Gabriel

5 REPLIES

Re: 12.0-14 to 12.3-16 ipsec compatibility issue ?

Hi

I did try to find out the ios for ur 1605 which can support ipsec single des encryption strength.

But it does require 16MB DRAM and 6MB Flash..

Its a GD version and the filename is c1600-sy56i-mz.121-27b.bin ..

Again 1605 router has reached end-of-sale or end-of-life status so better would suggest to lookout for an upgrade either to a 1700 or 1800 series model..

regds

New Member

Re: 12.0-14 to 12.3-16 ipsec compatibility issue ?

Hi,

Thank you very much, but there is no possibility to replace the 1605Rs with other routers, as they are part of a project implemented by another company for us. It seems that the newest ios that can fit into my flash is c1600-sy56i-mz.12.0-7.T2 (12/4). Maybe there is a way to establish an ipsec tunnel between this one and the 12.3-16. If anybody knows how to do it, I would realy appreciate your input.

Gabriel

Gold

Re: 12.0-14 to 12.3-16 ipsec compatibility issue ?

just wondering what you are referring to when you mentioned the two ios are not compatible.

Re: 12.0-14 to 12.3-16 ipsec compatibility issue ?

Hi

As jackko mentioned do post out the constraints u hve in getting the tunnel established between the routers and also the configs of both the routers.

regds

New Member

Re: 12.0-14 to 12.3-16 ipsec compatibility issue ?

Hi,

I have tested the following config:

Router1605R:

crypto isakmp policy 100

authentication pre-share

crypto isakmp key cucu address 192.168.200.1

crypto ipsec transform-set mimi ah-sha-hmac esp-des esp-sha-hmac

crypto map hq 100 ipsec-isakmp

set peer 192.168.200.1

set transform-set mimi

match address titi

interface Loopback100

ip address 192.168.201.2 255.255.255.255

no ip directed-broadcast

interface Tunnel100

ip address 192.168.200.2 255.255.255.0

no ip directed-broadcast

tunnel source 10.4.208.4

tunnel destination 192.168.1.2

crypto map hq

ip route 192.168.201.1 255.255.255.255 192.168.200.1

ip access-list extended titi

permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255

Router3745:

crypto isakmp policy 100

authentication pre-share

crypto isakmp key cucu address 192.168.200.2

!

!

crypto ipsec transform-set mimi ah-sha-hmac esp-des esp-sha-hmac

!

crypto map hq 100 ipsec-isakmp

set peer 192.168.200.2

set transform-set mimi

match address titi

interface Loopback100

ip address 192.168.201.1 255.255.255.255

!

interface Tunnel100

ip address 192.168.200.1 255.255.255.0

tunnel source 192.168.1.2

tunnel destination 10.4.208.4

crypto map hq

ip route 192.168.201.2 255.255.255.255 192.168.200.2

ip access-list extended titi

permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255

Test without crypto map applied on the tunnel 100 interface, of the 3745:

3745#ping

Protocol [ip]:

Target IP address: 192.168.201.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.201.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.201.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 100/100/104 ms

Test with the crypto map applied:

3745#ping

Protocol [ip]:

Target IP address: 192.168.201.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.201.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.201.1

.....

Success rate is 0 percent (0/5)

P.S. I tried to apply the crypto map on the physical interface of the 1605r also (as I red about the difference between the older verions of ios and the new ones), but no success...

Thank you!

113
Views
0
Helpful
5
Replies
CreatePlease login to create content