Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC tunnel between 2 7606 PE

I am trying to create an IPSec tunnel between two 7606 PE routers.. getting this error, when i ping across, and also if I start using the path LDP drops down.

Nov 12 16:32:22.801 EST: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.10.135.1, remote= 10.10.135.2,

local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)

Nov 12 16:32:22.801 EST: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.10.135.1, remote= 10.10.135.2,

local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 190s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

Nov 12 16:32:22.801 EST: ISAKMP:(0): SA request profile is test

Nov 12 16:32:22.801 EST: ISAKMP: Created a peer struct for 10.10.135.2, peer port 500

Nov 12 16:32:22.801 EST: ISAKMP: New peer created peer = 0x5326A08C peer_handle = 0x8000001A

Nov 12 16:32:22.801 EST: ISAKMP: Locking peer struct 0x5326A08C, refcount 1 for isakmp_initiator

Nov 12 16:32:22.801 EST: ISAKMP: local port 500, remote port 500

Nov 12 16:32:22.801 EST: ISAKMP: Unable to allocate IKE SA

Nov 12 16:32:22.801 EST: ISAKMP: Unlocking peer struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0

Nov 12 16:32:22.801 EST: ISAKMP: Deleting peer node by peer_reap for 10.10.135.2: 5326A08C

Nov 12 16:32:22.801 EST: ISAKMP:(0):purging SA., sa=0, delme=532E8364

PE2#

Nov 12 16:32:22.801 EST: ISAKMP: Error while processing SA request: Failed to initialize SA

Nov 12 16:32:22.801 EST: ISAKMP: Error while processing KMI message 0, error 2.

Nov 12 16:32:22.801 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s)

PE2#

Nov 12 16:32:52.801 EST: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 10.10.135.1, remote= 10.10.135.2,

local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPSEC tunnel between 2 7606 PE

IPsec is not supported on the 6500 and 7600 series without an IPsec module (VPNSM or IPsec-SPA), sorry.

3 REPLIES
Cisco Employee

Re: IPSEC tunnel between 2 7606 PE

IPsec is not supported on the 6500 and 7600 series without an IPsec module (VPNSM or IPsec-SPA), sorry.

New Member

Re: IPSEC tunnel between 2 7606 PE

I see. what about on GSR with SIP-601 any Gige SPA will support or it? or need IPSEC SPA as well?

Thanks,

Cisco Employee

Re: IPSEC tunnel between 2 7606 PE

To be honest I don't know (I never work with GSR) but I found this in a security advisory:

"GSR (c12000) and CRS-1 routers running IOS-XR software support software-based IPSec for locally sourced and terminated traffic only (used mostly for routing protocols)."

src:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html

I suppose this answers the question...

Herbert

701
Views
0
Helpful
3
Replies
CreatePlease login to create content