Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

IPSec on Catalyst 6500

I've inherited a Cisco Catalyst 6509 (Supervisor 720/MSFC3) running the Advanced IP Services feature set on IOS 12.2(33)SXJ6, a pair of IPSec SPAs and an FWSM running OS 4.1(5) and have been tasked with getting traditional policy-based IPSec VPNs up and running on it and (eventually) DMVPN.

Normally, this wouldn't be too much trouble, except that I'm running into what appear to be mutually-exclusive required features. The ISP uses media converters between the Catalyst and their switches and so we're using BFD for BGP fall-over because we can't count on the interface going down if they lose a router. Because BFD isn't supported on SVIs, the uplinks to the ISP are routed ports and everything is working.

Unfortunately, the SPAs only seem to support crypto maps on SVI interfaces, so my usual approach of putting the crypto map on the last hops before the ISP routers isn't going to work. We do have an external VLAN that has public addressing and is advertised out via BGP, but moving the crypto map to this interface doesn't trigger ISAKMP. This is probably because the VLAN isn't the last hop out.

I'm thinking that I can do something with local PBR or something similar to force the ISAKMP/IPSec traffic to the outside VLAN, but I'm a little bit lost with the way the SPAs are involved.

I'm not necessarily looking for a solution, but some educated input on the problem would be very much appreciated so that I can figure out what my next steps should be.

Everyone's tags (4)