IPSec Support on ASR9K

I've tried to find out if IPSec is fully supported on the ASR 9K platform, but have found some mixed messages. The commands appear to be there, but I can find no documentaitn on how to actually configure IPSec, only IKE. I've also found a post on this forum which states that "true" IPSec is not supported. Is there some authoritative documentation out there on whether full featured IPSec is supported on the ASR 9k?

Hi,
Pre-5.2.0 we only support IPSec for OSPFv3.
Starting in 5.2.0 the VSM card supports IPSec. This is a LC so the 9001 cannot use it or any of the new IPSec features (mainly site-to-site IPSec)
Thanks,
Sam

Similar Messages

Solaris 9 IPSec support

I am currently attempting to activate IPSecurity on Solaris and I am having a host of issues. I am hoping someone on the forums have done this before.
Here are the steps that I have figured out:
1) Create Certificates and add them into the database: I am fairly certain that this has been done correctly since when the in.iked daemon comes up it reads in my CA certificate and my server certificate that I have created.
2) Edit the /etc/inet/ike/config file. I have edited this file but there is an odd thing here. Looking at the man page it says that I should be able to do use AES for the phase 1 SA. However when I use the key word for the aes it tells me it is an error. <Question> Is the AES support only on 10? Is there away I can tell the version of the in.iked daemon I am working with?
3) Activate the in.iked server with the config file. I have done this and used the -p2 -d options so I can see the log file that goes with it.
4)Update the /etc/inet/ipsec.init file: I have done this but here is another instance that things do not make sense. I create a phase 2 proposal devoid of all encryption algorithms and the default one came up. It only had AES and Blowfish. There was no Triple DES option available even though in the man page is there. <question> how do I get the version number of the ipsecconf command.
5)I then use the ipsecconf command to suck in the ipsec.init profile. I have done this successfully with AES and can do a list display.
Usage<<<< I attempt to run a traffic from my solaris to my partner machine that matches the phase 2 traffic descriptors however when the traffic arrives it is not encrypted and the solaris did not attempt to negotiate a tunnel.
When I attempt to initiate a VPN from the other side all I get is parameter mismatch on the Solaris side however the parameters that I have configured all seem to match.
<Questions>
1) Is there some better messages available above -p2 -d
2) Is there a way to initiate a phase 1 negotiation on the SA. ikeadm command does not seem to have that.
3) Is there a service that I have to activate to start the IPSecurity pieces?

http://www.sun.com/servers/coolthreads/t2000/specs.xml
no.
Darren

IPSEC Support in 6500 Code?

Guys does anyone know if the most recent 12.2 IOS code for the 6500 (sup 720) is capable of doing IPSEC VPN's without the VPN module? I can't seem to find a definitive answer to this on the website.
Thanks!

Hi,
As you can see on the release notes for for example 12.2(18)SXD:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.ht
m
"The k9 images support SSH 3DES access and the IPSec Network Security feature (configured
with the crypto ipsec command) in software"
This is not a good idea to use 6500 to use for software 3DES for encryption and decryption
and we DON'T recommend to use 6500 for VPN without having VPNSM.
This probably is not regarded as a valid/advised configuration...
Please rate helpful posts.
Regards,
~JG

NAT444 support on ASR9K without ISM board

Hi
I have a little confusion on ASR9k. we dont have ISM module on ASR9K so we're going to enable NAT444 (CG) , we're not sure this feature can support on this platform without ISM with XR 4.3 MPLS software. Would you please someone to resolve my doubt?
BR

You definitely need an ISM card in your ASR9k to support NAT44. This feature has been supported starting with 4.2.0.
Regards

Rv220w IPsec supported authentication methods

Hi, can somebody pls explain me, how works the "RSA-Signature" authentication method on rv220w?
Because when I want to use "Hybrid RSA" or "Hybrid mode" in my vpn client, Cisco replies "[IKE] ERROR: invalid auth method 64221".
It seems that this router support only basic authentication (preshared key), or am I wrong?
I have couple of issues with this router and I'm not able to find solution anywhere (comunity, phone support) :/
Thanks for helping
David

These files must be present. Please check that the system/library package is installed and complete :
# pkg verify system/library
If this is not the case please run one of these commands :
- If the package is not installed : # pkg install system/library
- If the package is incomplete : # pkg fix system/library

How many BVI(v6) interfaces are supported on ASR9k

Hi all,
I am looking for some information on the scale number for BVI(ipv6) on ASR9K?
Thanks,
Suprabha

Hi,
depending on the card, you might have up to 2K BVI interfaces with E card, while with B/L the number scales only up to 512 BVI interfaces per system.
there are plans to extend the limit in some future IOX versions.
Regards,
Ivan.

IPSEC tunnel and Routing protocols Support

Hi Everyone,
I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
Does it mean that If Site A has to reach Site B over WAN link we should use Static IP on Site A and Site B Router?
In my home Lab i config Site to Site IPSES VPN and they are working fine using OSPF does this mean that IPSEC supports Routing Protocol?
IF someone can explain me this please?
OSPF config A side
router ospf 1
router-id 3.4.4.4
log-adjacency-changes
area 10 virtual-link 10.4.4.1
passive-interface Vlan10
passive-interface Vlan20
network 3.4.4.4 0.0.0.0 area 0
network 192.168.4.0 0.0.0.255 area 10
network 192.168.5.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
3550SMIA#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
O    192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
     100.0.0.0/32 is subnetted, 1 subnets
O       100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
     3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O       3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C       3.4.4.0/24 is directly connected, Loopback0
C    192.168.30.0/24 is directly connected, Vlan30
     64.0.0.0/32 is subnetted, 1 subnets
O E2    64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C    192.168.10.0/24 is directly connected, Vlan10
     172.31.0.0/24 is subnetted, 4 subnets
O E2    172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2    172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2    172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2    172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O    192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
O    192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
C    192.168.99.0/24 is directly connected, FastEthernet0/8
C    192.168.20.0/24 is directly connected, Vlan20
     192.168.5.0/31 is subnetted, 1 subnets
C       192.168.5.2 is directly connected, FastEthernet0/11
C    10.0.0.0/8 is directly connected, Tunnel0
     192.168.6.0/31 is subnetted, 1 subnets
O       192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
O    192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
B Side Config
Side A
router ospf 1
log-adjacency-changes
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
1811w# sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.99.2 to network 0.0.0.0
O    192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
     100.0.0.0/32 is subnetted, 1 subnets
O       100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
     3.0.0.0/32 is subnetted, 2 subnets
O       3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O       3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
O    192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
     64.0.0.0/32 is subnetted, 1 subnets
O E2    64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O    192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
     172.31.0.0/24 is subnetted, 4 subnets
O E2    172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2    172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2    172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2    172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O    192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
C    192.168.98.0/24 is directly connected, BVI98
C    192.168.99.0/24 is directly connected, FastEthernet0
O    192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
     192.168.5.0/31 is subnetted, 1 subnets
O       192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
     192.168.6.0/31 is subnetted, 1 subnets
O       192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O    192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
Thanks
Mahesh

Hello,
I'm saying crypto maps have a lot of limitations. Tunnel Protection make way more sense
U can configure in 2 ways [ and multicast WILL work over it]
1- GRE over IPSEC
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile tp
set transform-set aes
int tu1
ip address 255.255.255.252
tunnel source
tunnel destination
tunne protection ipsec profile tp
We have configured mode transport because we encrypt GRE + what ever we encapsule in GRE [ eg OSPF - telnet - http ]
Pros:
We can as well transport IPV6 or CDP
Cons:
4 bytes of overhead due to GRE
2- IP over IPSEC
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile tp
set transform-set aes
int tu1
ip address 255.255.255.252
tunnel source
tunnel destination
tunnel mode ipsec ipv4
tunne protection ipsec profile tp
This config is in fact closer from a crypto map [ from encapsulation standpoint]. The transform-set then NEED to be in tunnel-mode
Pro:
4 bytes overhead less than GRE over IPSEC
Cons:
Cannot transport CDP or MPLS or IPV6. Very limiting IMHO
Cheers
Olivier

Does 2951 support VPN connectivity by default ?

Problem: I have an old 2851 with VPN module.
Currently, there are IPSEC crypto-connections in use that go through an EIGRP tunnel.
Showing crypto engine br I get: VPN Module (HW) status enabled.
Showing crypto maps, I see that there are leased some active ones.
Showing aaa: there are active sessions.
According to the documentation here:
http://www.cisco.com/c/en/us/products/collateral/routers/2900-series-integrated-services-routers-isr/data_sheet_c78_553896.html ,
The 2951 has embeded IPSec support.
The question is: Is a VPN additional module (3DS/AES encryption module) needed for the 2951 or will the connections work without it ?

Hello.
It will work, but requires SEC/K9 license (and general image, not NPE):
https://www.cisco.com/c/dam/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/qa_c67_606268.pdf
Also if you want to do IPSec for traffic rates higher than 85M unidirectional.

Can I use L2TP without IPSec in Tiger?

Hello.
Can I use built-in L2TP VPN Client without IPsec support?
i don't need ipsec encrypt, i just need l2tp tunneling.
if i cannot use with built-in tiger l2tp client,
could you recommand the software that i can do this?
thanks..

You do understand that L2TP has no encryption and you may as well be using PPTP with clear text passwords, right?
I would strongly recommend you use some form of encryption, either IPSec or PPTP with any form of available encryption.

ASR9K interface packet rate

The packet rate mib 1.3.6.1.4.1.9.2.2.1.1.7 for 7600 seem not support by ASR9K, anyone can share the packet rate /s mib for ASR9K

This is generally computed offline by the mgmt station based on the packet counters (from the IFMIB) and computed over time.
A great package that does this is MRTG you may like to mess around with.
alternatively you could possibly pull the XR interface rate out via XML.
regards
xander

Befvp41 VPN IPSec NAT

Hi!
We engaged in transportation vehicles Ford. Now we create a VPN tunnel with Ipsec support from Ford. VPN tunnel is raised on the basis of Linkys Befvp41. The tunnel is configured and connected. But in logs i see some errors. I don't know that errors. Log:
00:01:38 IKE[12] Tx >> MM_I1 : 0.0.0.0 Error !
00:02:00 IKE[12] Tx >> MM_I1 : 0.0.0.0 Error !
2012-06-05 18:51:40 IKE[12] Tx >> MM_I1 : 0.0.0.0 Error !
2012-06-05 18:52:10 IKE[12] Tx >> MM_I1 : 0.0.0.0 Error !
2012-06-05 18:52:40 IKE[12] Tx >> MM_I1 : 0.0.0.0 Error !
2012-06-05 18:53:10 IKE[12] Tx >> MM_I1 : 0.0.0.0 Error !
2012-06-05 18:53:35 IKE[1] Tx >> MM_I1 : 136.8.33.17 SA
2012-06-05 18:53:35 IKE[1] Rx << MM_R1 : 136.8.33.17 SA, VID
2012-06-05 18:53:35 IKE[1] ISAKMP SA CKI=[67face6c d8c78307] CKR=[b32f54b0 f73043dd]
2012-06-05 18:53:35 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_1024 / 86400 sec (*86400 sec)
2012-06-05 18:53:35 IKE[1] Tx >> MM_I2 : 136.8.33.17 KE, NONCE
2012-06-05 18:53:36 IKE[1] Rx << MM_R2 : 136.8.33.17 KE, NONCE, VID, VID, VID, VID
2012-06-05 18:53:36 IKE[1] Tx >> MM_I3 : 136.8.33.17 ID, HASH
2012-06-05 18:53:37 IKE[1] Rx << MM_R3 : 136.8.33.17 ID, HASH, VID
2012-06-05 18:53:37 IKE[1] Tx >> QM_I1 : 136.8.33.17 HASH, SA, NONCE, ID, ID
2012-06-05 18:53:37 IKE[1] Rx << QM_R1 : 136.8.33.17 HASH, SA, NONCE, ID, ID
2012-06-05 18:53:37 IKE[1] Tx >> QM_I2 : 136.8.33.17 HASH
2012-06-05 18:53:37 IKE[1] ESP_SA 3DES / SHA / 3600 sec (*3600 sec) / SPI=[65f2e68f:3b4694df]
2012-06-05 18:53:37 IKE[1] Set up ESP tunnel with 136.8.33.17 Success !
2012-06-05 18:53:40 IKE[12] Tx >> MM_I1 : 0.0.0.0 Error !
Further, I do not know how to set up Ipsec with support NAT, because Ford only works with white ip addresses on the Internet. Can you send some information to set up ipsec with nat? Thank you.

Thank you for you replies there are 2 options either easy vpn client but it requires cisco at the other end ...or that one:
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
here is the cisco url link where u can find further information about it:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
I m gonna test those 2 options
I still don t know how to push acl with easy vpn client and remote mode.
thank you for your advices
regards,
alex
regards,
alex

IPsec on AsyncOS

Judging from the complete lack of any mention of the term "IPsec" in both the product manuals and the Knowledge Base, I think it's pretty safe to say that AsyncOS has no IPsec support. Might any of the IronPort folks here care to comment on if/when this might change?
Thanks,

Last time I looked, AsyncOS was based on FreeBSD, which has IPsec support built in. I suppose building a suitable interface for configuring it, and then dealing with the support issues that IPsec can cause are the main reasons for not having exposed this functionality (along with a lack of customer demand, no doubt).
Anyway, I'm just curious. IPsec might be a way we could solve some internal problems we're facing, but there are other possibilities.

IPSec on SPA8000

Hi All,
Is the IPSec support on the SPA8000 strictly a pass-through function or can it originate an IPSec tunnel/session? I.E. I want to connect (voice traffic generated by the SPA8000) to a VoIP network through a IPSec tunnel.
Regards,
Scott

Arupis,
Well the reason that I am still unsure is that the other (smaller lower cost) ATA devices do not even discuss IPSec or PPTP.
By contrast, under network/transport Protocols, the SPA8000 lists “TCP/IP, PPTP, UDP/IP, L2TP, ICMP/IP, IPSec, PPPoE” http://shopping.msn.com/Specs/shp/?itemId=808614941
Do you have an e-mail contact at Linksys? I really don’t want to play “1-800” roulette”
Regards,
Scott

ASR 9001 + IPSEC

Hello,
We try to use ipsec with our ASR 9001 but even if we do crypto isakmp:
how crypto isakmp peers
Tue Apr 14 20:47:17.751 UTC
% IKE not active
How can we active IKE ?
Thks.

Hi Jordi,
We are getting ipsec support with the "help"of the VSM (virtual services module).
this module carries as bunch of cpu's on top of which applications can be loaded. eg CGN, coming soon IPSEC and DPI also.
This module requires a slot. The asr9001 doesnt have slots so it can't carry the VSM, for which you need a 9904/9006/9010/9922.
There was talks about a crypto MPA too, I need to check in on that and will report back if there are plans for it.
regards
xander

Windows VPN clients can't use network servers after 10.5.1 upgrade

We have two Xserves, both formerly running 10.4.11. One is the OD master, the other a replica. The replica is also the VPN server, and is a DHCP server for the small number of IP addresses reserved for VPN clients.
The OD master upgrade went fine. I completely reinstalled the OD replica, set the replica up again, and set up the VPN server. It supports L2TP/IPsec connections only.
After the upgrade, Mac users running Tiger or Leopard can connect to the VPN server and connect to network services without any problems. Windows users can connect, but cannot actually USE anything on my office network. For example, if you try to connect to a web server either by fully qualified domain name or by hostname, the connection from the browser simply times out.
In the Windows command line I can verify that I have an active connection by pinging and using the tracert command (equivalent of traceroute on UNIX). Hostname resolution works, too. But nothing happens when you try to open a web browser, which is mostly what my users need to do.
It doesn't matter whether you're logging in with an OD user account or a local account defined solely on the VPN server. Same behavior in Windows.
I had to take an older XServe running 10.4.11 out of our data center, move it to the office, and set it up on the same external network connection. 10.4.11 server works, 10.5.1 doesn't, from the same Windows client, set up exactly the same way.
I've been through the hoops with Apple Enterprise support, who now tell me that Engineering kicked it back to them and told them they'd charge me $695 to get it fixed, because it's ostensibly custom configuration work. If that's true, why is Windows XP listed under L2TP/IPSec support on page 127 of the Leopard Network Services Admin guide? I don't want a custom fix, I just want it to work the way it's supposed to work. Or I want Apple to retract the claim that OS X Server is the best workgroup server solution for Macs and Windows.
Anyone else encounter this problem or know of a fix?

Had the same problems, started after i tried out the firewall in Leopard server.
Seems that not all settings are reset even after turning the firewall off.
To reset the firewall to its default setting:
1 Disconnect the server from the Internet.
2 Restart the server in single-user mode by holding down the Command-s keys during
startup.
3 Remove or rename the address groups file found at /etc/ipfilter/
ipaddressgroups.plist.
4 Remove or rename the ipfw configuration file found at /etc/ipfilter/ipfw.conf.
5 Force-flush the firewall rules by entering the following in Terminal:
$ ipfw -f flush
6 Edit the /etc/hostconfig file and set IPFILTER=-YES-.
7 Complete the startup sequence in the login window by entering exit:
The computer starts up with the default firewall rules and firewall enabled. Use Server
Admin to refine the firewall configuration.
8 Log in to your server’s local administrator account to confirm that the firewall is
restored to its default configuration.
9 Reconnect your host to the Internet.
This solved the problem for me...

IPSec Support on ASR9K

Similar Messages

Maybe you are looking for