RE: Dynamic VPN Problem on Cisco 7609

From: Mike Kraus (mikraus) (mikraus@cisco.com)
Date: Wed May 07 2008 - 21:52:52 ART

• Next message: amit joshi: "Require Detail Informaion about ISP"
• Previous message: Colin McNamara: "Re: VA approved CCIE classes?"
• Maybe in reply to: Akhtar Rasool: "Dynamic VPN Problem on Cisco 7609"
• Next in thread: Akhtar Rasool: "Re: Dynamic VPN Problem on Cisco 7609"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

"Without a SPA-IPSEC-2G or IPsec VPN Acceleration Services Module, the
IPsec Network Security feature (configured with the crypto ipsec
command) is supported in software only for administrative connections to
Catalyst 6500 series switches and Cisco 7600 series routers."

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/na
tive/release/notes/OL_4164.html

In the SRA & SRB chains, crypto without a module isn't supported at all
(even for administrative).

The intent of using a 7600 is for hardware forwarding. If you are OK
with software acceleration, a 7200 or lower is likely sufficient in your
environment.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Rich Collins
Sent: Wednesday, May 07, 2008 8:08 AM
To: Akhtar Rasool
Cc: Cisco certification
Subject: Re: Dynamic VPN Problem on Cisco 7609

Last year I practised some of the VPN configurations on our 7613. I
tried various SXE and SXF versions and crashed the Sup720 a few times.
A work colleague told me that it just wasn't supported without the
Crypto accelerator card so one could expect anything when trying this
out.

-Rich

On 5/7/08, Akhtar Rasool <akhtar.samo@gmail.com> wrote:
>
> Dear all,
>
> I am trying to implement Dynamic VPN on a Cisco 7609 (IOS
> 12.2<18>SXF13) & when I connect to this router through a Cisco VPN
> Client, an IPSEC tunnel is established.
>
> When I issue "sh crypto ipsec sa" encrypted & decrypted packets are
> not equal & Split tunneling is also not working properly. Is anyone
> facing similar issue on this platform as same testing is working fine
> on low end series routers.
>
> Any help in this regard would be appreciable.
>
> **************************************
> crypto isakmp policy 10
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group TEST key test12345 pool LOCAL

> acl SPLIT crypto isakmp profile TESTPROFILE match identity group TEST
> client authentication list USERAUTH isakmp authorization list USERAUTH

> client configuration address respond !
> !
> crypto ipsec transform-set CISCO esp-3des esp-sha-hmac !
> crypto dynamic-map DYNAMIC 10
> set transform-set CISCO
> set isakmp-profile TESTPROFILE
> reverse-route
> !
> !
> crypto map TESTVPN 10 ipsec-isakmp dynamic DYNAMIC
>
> ip local pool LOCAL 172.16.1.1 172.16.1.254
>
> ip access-list extended SPLIT
> permit ip 172.16.0.0 0.0.255.255 any
> permit ip 192.168.0.0 0.0.255.255 any
>
> **************************************
>
>
> Regards,
>
> Akhtar
>
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: amit joshi: "Require Detail Informaion about ISP"
• Previous message: Colin McNamara: "Re: VA approved CCIE classes?"
• Maybe in reply to: Akhtar Rasool: "Dynamic VPN Problem on Cisco 7609"
• Next in thread: Akhtar Rasool: "Re: Dynamic VPN Problem on Cisco 7609"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:16 ART