From: Akhtar Rasool (akhtar.samo@gmail.com)
Date: Thu May 08 2008 - 01:54:13 ART
Thanks for the response. You are right IPSEC on MSFC is supported for
administrative purpose to the router only.
Regards,
Akhtar
On Thu, May 8, 2008 at 4:52 AM, Mike Kraus (mikraus) <mikraus@cisco.com>
wrote:
>
> "Without a SPA-IPSEC-2G or IPsec VPN Acceleration Services Module, the
> IPsec Network Security feature (configured with the crypto ipsec
> command) is supported in software only for administrative connections to
> Catalyst 6500 series switches and Cisco 7600 series routers."
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/na
> tive/release/notes/OL_4164.html
>
> In the SRA & SRB chains, crypto without a module isn't supported at all
> (even for administrative).
>
> The intent of using a 7600 is for hardware forwarding. If you are OK
> with software acceleration, a 7200 or lower is likely sufficient in your
> environment.
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Rich Collins
> Sent: Wednesday, May 07, 2008 8:08 AM
> To: Akhtar Rasool
> Cc: Cisco certification
> Subject: Re: Dynamic VPN Problem on Cisco 7609
>
> Last year I practised some of the VPN configurations on our 7613. I
> tried various SXE and SXF versions and crashed the Sup720 a few times.
> A work colleague told me that it just wasn't supported without the
> Crypto accelerator card so one could expect anything when trying this
> out.
>
> -Rich
>
>
>
> On 5/7/08, Akhtar Rasool <akhtar.samo@gmail.com> wrote:
> >
> > Dear all,
> >
> > I am trying to implement Dynamic VPN on a Cisco 7609 (IOS
> > 12.2<18>SXF13) & when I connect to this router through a Cisco VPN
> > Client, an IPSEC tunnel is established.
> >
> > When I issue "sh crypto ipsec sa" encrypted & decrypted packets are
> > not equal & Split tunneling is also not working properly. Is anyone
> > facing similar issue on this platform as same testing is working fine
> > on low end series routers.
> >
> > Any help in this regard would be appreciable.
> >
> > **************************************
> > crypto isakmp policy 10
> > encr 3des
> > authentication pre-share
> > group 2
> > !
> > crypto isakmp client configuration group TEST key test12345 pool LOCAL
>
> > acl SPLIT crypto isakmp profile TESTPROFILE match identity group TEST
> > client authentication list USERAUTH isakmp authorization list USERAUTH
>
> > client configuration address respond !
> > !
> > crypto ipsec transform-set CISCO esp-3des esp-sha-hmac !
> > crypto dynamic-map DYNAMIC 10
> > set transform-set CISCO
> > set isakmp-profile TESTPROFILE
> > reverse-route
> > !
> > !
> > crypto map TESTVPN 10 ipsec-isakmp dynamic DYNAMIC
> >
> > ip local pool LOCAL 172.16.1.1 172.16.1.254
> >
> > ip access-list extended SPLIT
> > permit ip 172.16.0.0 0.0.255.255 any
> > permit ip 192.168.0.0 0.0.255.255 any
> >
> > **************************************
> >
> >
> > Regards,
> >
> > Akhtar
> >
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:16 ART