IPSec VRF Aware (Crypto Map)

Similar Messages

• VRF Aware Crypto Map

  Hi,
  I´ve a VPN Router with VRF´s for every customer and also for the Internet Connection.
  On the Router run many DMVPN´s and Static VTI.
  Now I must configure a new VPN based on a crypto map.
  I´ve read that it´s impossible to termnate a crypto map an a VTI on the same physical interface.
  So I´ve installed a new physical interface to terminate the crypto map.
  This are the configuration which insert to the running configuration:
  crypto keyring KEYRING-Customer vrf OUTSIDE_CM
  pre-shared-key address a.b.c.d key KEY
  crypto isakmp policy 100
  encr aes 256
  hash sha1
  group 14
  authentication pre-share
  ip access-list exten ACL-Customer
  10 permit ip 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255
  crypto isakmp profile Customer
  keyring KEYRING-Customer
  match identity address a.b.c.d 255.255.255.255 OUTSIDE_CM
  local-address Gig0/0
  vrf Customer
  crypto map CMAP 10 ipsec-isakmp
  set peer a.b.c.d
  set transform-set AES256
  set isakmp-profile Customer
  match address ACL-Customer
  set pfs group14
  int gig0/0
  vrf forwarding Customer
  ip address 1.2.3.4 255.255.255.0
  crypto map CMAP
  But I see nothing on the router. Whit debug crypto isakmp i can´t see any traffic for this VPN.
  Where is my mistake ?
  The OUTSIDE_CM VRF ist the VRF for WWW traffic.
  The Customer VRF ist the Customer LAN.
  Many Thanks
  BR Martin

  Marcin,
  the reason why I don´t use VTI in this case is very simple. I transfer the old VPN from a PIX and im not shure
  if it possible to run this VPN with VTI, because the other side is not configured from us.
  An it´s not a cisco device. What do you think....  When I´ve try to use a VTI, how the other side is checking the Crypto map ? Because, normaly, when a ASA for Example builds a VPN the device´s check which crypto map is configured on the other side and if the crypto map isn´t idetical, the VPN doesn´t came up.....
  Thank´s for your help. It´s my first Router with VPN´s. Normally I use ASA´s. But I think with a router we are more flexible... QoS, OSPF etc....
  BR M

• Multiple Crypto Maps on Single Outside Interface

  Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
  crypto map azure-crypto-map 10 match address azure-vpn-acl
  crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
  crypto map azure-crypto-map interface outside
  However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
  crypto map azure-crypto-map interface outside
  which blows away my original line:
  crypto map outside_map interface outside
  It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

  Hi,
  You can use the same "crypto map"
  Just add
  crypto map outside_map 10 match address azure-vpn-acl
  crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
  Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
  And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
  If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
  Hope this helps
  - Jouni

• Troubles using VRF-aware IPsec w/ crypto maps

  I'm trying to get a lab setup to work with a C2951 (15.2(4)M4) peering with an ASA 5510 (9.1(2)). The config is based on crypto maps, since I want the C2951 to be the initiating side, and as far as I understand, VTIs wouldn't be working together with the ASA due to the default 'any' crypto statements that are being applied on SVTIs.
  So I've set up this IKEv1-, crypto map-based lab, and the tunnel strictly won't come up; it seems that crypto doesn't find any interesting traffic at all (no debug crypto isakmp output pops up).
  What I'm doing for testing is issuing a VRF Ping from a loopback interface of the C2951. I was following the following cheat sheet to configure the IOS box:
  https://supportforums.cisco.com/docs/DOC-13524
  Please see the attached config files and the setup drawing.
  This is the way I'm testing it:
  C2951#sh deb
  Cryptographic Subsystem:
    Crypto ISAKMP debugging is on
  C2951#
  C2951#ping vrf test 10.0.0.1 source lo 1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
  Packet sent with a source address of 40.0.0.1
  Success rate is 0 percent (0/5)
  C2951#
  Any hints for me, please?

  There are no VRF routes left in the config, and I've cleared the global and the VRF routing table. Even rebooted the box. Still only half of the Pings get answered. There are no crypto ipsec errors, so it should have something to do with routing...but what?
  C2951#sh crypto ipsec sa
  interface: GigabitEthernet0/0
      Crypto map tag: OUR-MAP, local addr 30.0.0.2
     protected vrf: test
     local  ident (addr/mask/prot/port): (40.0.0.1/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
     current_peer 20.0.0.1 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 30.0.0.2, remote crypto endpt.: 20.0.0.1
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
       current outbound spi: 0xEB02ACDA(3942821082)
       PFS (Y/N): Y, DH group: group5
       inbound esp sas:
        spi: 0x1A943A9F(445921951)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 18009, flow_id: ISM VPN:9, sibling_flags 80000040, crypto map: OUR-MAP
          sa timing: remaining key lifetime (k/sec): (4225929/3571)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE(ACTIVE)
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xEB02ACDA(3942821082)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 18010, flow_id: ISM VPN:10, sibling_flags 80000040, crypto map: OUR-MAP
          sa timing: remaining key lifetime (k/sec): (4225928/3571)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE(ACTIVE)
       outbound ah sas:
       outbound pcp sas:
  C2951#sh ip route 10.0.0.0
  % Network not in table
  C2951#sh ip route vrf test 10.0.0.0
  Routing Table: test
  Routing entry for 10.0.0.0/24, 1 known subnets
  S        10.0.0.0 [1/0] via 20.0.0.1, GigabitEthernet0/0

• Vrf aware dynamic ipsec

  Hi
  I need to setup a VRF aware IPSec that can take requests from dynamic (unspecified) sources. This is basically like enabling a home user to connect to his MPLS VPN network with a service provider. Please help with the SP network config, not the CPE.
  An appropriate link will also help.

  Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
  One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
  This document helps you configure VRF aware IPSec.
  http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1158006

• VRF-Aware IPSec for Remote Access

  Dear All,
  Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?
  I am trying to implement this feature on a PE which has MPLS enabled
  on the Internet facing interface.
  With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.
  I will be really grateful for any comment or any pointers for what could
  be possibly wrong with the configuration below:
  aaa new-model
  aaa authentication login USER-AUTHENTICATION local
  aaa authorization network GROUP-AUTHORISATION local
  crypto keyring test-1
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group test-1
  key test-1
  domain test.com
  pool cpe-1
  acl 101
  crypto isakmp profile test-1
  vrf test-1
  keyring test-1
  match identity group test-1
  client authentication list USER-AUTHENTICATION
  isakmp authorization list GROUP-AUTHORISATION
  client configuration address initiate
  client configuration address respond
  client configuration group test-1
  crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
  ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
  crypto dynamic-map test-1 1
  set transform-set test-1
  set isakmp-profile test-1
  reverse-route remote-peer
  Internet facing interface
  interface GigabitEthernet4/0/0
  ip address x.x.x.x 255.255.255.240
  ip router isis
  mpls ip
  crypto map IPSEC-AWARE-VRF
  Customer facing interface
  interface GigabitEthernet1/0/0.1
  encapsulation dot1Q 100
  ip vrf forwarding test-1
  ip address 110.110.110.1 255.255.255.0
  Kind regards,
  ZH

  Million thanks for this.
  This now works after disabling CEF on the public facing interface.
  Regards,
  Zahid

• 2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput

  We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?

  Hi Nick,
  I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.
  We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.
  When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.
  Inspect
  Packet inspection statistics [process switch:fast switch]
  tcp packets: [14809800:0]
  udp packets: [145107:0]
  icmp packets: [20937:12]
  I have disabled the ZFW and still see high cpu although it is a little lower.
  Packets are not fragmented, CEF and fast switching looks to be enabled. I am using a route-map for my nonats. That is the only thing I can think of now.
  I have tried IOS 12.4(20)T3,4 and 12.4(15)T9. Same results.
  Anyone have some ideas?

• VRF-Aware IPsec with a Dynamic VTI

  Hello
  I am trying to configure VRF-aware IPSEC with e Dynamic VTI. I follow the guidelines from the document
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-2mt/sec-ipsec-virt-tunnl.html#GUID-C0A165BF-5866-4B13-BD73-0892B7E65488
  Acording to the example: "VRF-Aware IPsec with a Dynamic VTI When VRF is Configured Under an ISAKMP Profile" I should be able to configure both the vrf and virtual-template features under the same crypto isakmp policy.
  Unfortunalety, if I try to do that, I receive the following message
  R4(conf-isa-prof)#virtual-template 1
  % VRF already set for isakmp profile. Virtual Template not allowed
  Does anyody know why I am not able to follow the configuration from this example?
  My profile confguration, and the virtual-template configuration are as follows
  crypto isakmp profile A
     vrf A
     keyring A
     match identity address 192.168.0.2 255.255.255.255
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback2
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile A
  I am doing the test on the IOS 12.4(11)XW3 runningon 3725 router.
  Thank you in advance for any hints.
  Regards
  Lukas

  Lukas,
  I'm not sure but most likely this was not yet supported in 12.4.
  The document you refer to is for IOS 15.2. I don't know by heart if your 3715 can run 15.2, otherwise give 15.1(4)Mx a try ?
  hth
  Herbert

• Seamless migration of cryptomap ipsec setup to vrf aware environment?

  hi out there
  We are in a migration phase from a vpn router with a non-vrf aware setup to a router with a vrf aware setup. I expected that I was able to do this more or less seamless by adding the wan-interface from the vrf ware router to the same hsrp Group as the non-vrf aware router and the just raise the priority of the vrf aware router when we had a time slot for migrating the environment. But when I added the interface for the vrf aware router to the hsrp Group of the non-vrf aware router  the vrf-aware router suddenly started to "mal-function" - it had two other interfaces running with vpn connections and those sessions started to crash.
  Since this is a production env I hadn't time to debug what happened but I just quickly rolled-back what I had done and everything looked ok and stable Again. But - can some here give me a guess of what had happened?
  the setup I had on the non-vrf aware router was this:
  interface GigabitEthernet0/0/0
  ip address 19.41.10.13 255.255.255.128
  standby 68 ip 19.41.10.14
   standby 68 priority 110
   standby 68 preempt
   standby 68 authentication xxxx
   standby 68 name asp
  crypto map cm-cvn001 redundancy asp
  and on the vrf aware env:
  interface GigabitEthernet0/0/3
  ip address 19.41.10.28 255.255.255.128
   vrf forwarding INTERNET3
   standby 68 ip 19.41.10.14
   standby 68 priority 50
   standby 68 preempt
   standby 68 authentication xxxx
   standby 68 name asp
  crypto map IPSECMAP3 redundancy asp

  Hi JouniForss
  Thanks for replying!
  Looks like I left in some public IP's by mistake.
  I have edited this to hopefully make it clear.

• VRF-aware IPSec Issues

  Hello All
  I will be grateful if someone can assist me with this please.
  I am having issues with this setup and the VPN tunnel shows down. Can someone please advice where i may be going wrong. the test setup as below and i have also attached the current configs.
  VPN_RTR#sh crypto session
  Crypto session current status
  Interface: GigabitEthernet0/1.84
  Session status: DOWN
  Peer: 1.1.1.2 port 500
    IPSEC FLOW: permit ip host 10.10.10.1 0.0.0.0/0.0.0.0
          Active SAs: 0, origin: crypto map
  Interface: GigabitEthernet0/1.85
  Session status: DOWN
  Peer: 1.1.1.6 port 500
    IPSEC FLOW: permit ip host 10.10.11.1 0.0.0.0/0.0.0.0
          Active SAs: 0, origin: crypto map

  Hello,
  Modify your ACL on both routers to identify interesting traffic which will be encrypted, in your case traffic beteen loopbacks in same VRF.
  INETSERV1_TEST
  ip access-list extended P1-VPN
  permit ip host 10.10.10.1 host 192.168.0.1
  ip access-list extended P3-VPN
  permit ip host 10.10.11.1 host 192.168.1.1
  VPN_RTR
  ip access-list extended P1-VPN
  permit ip host 192.168.0.1 host 10.10.10.1
  ip access-list extended P3-VPN
  permit ip host 192.168.1.1 host 10.10.11.1
  After this change, you should be able to ping between loopbacks.
  Best Regards
  Please rate all helpful posts and close solved questions

• Vrf aware dmvpn with ipsec profile breaks while enabling authentication in EIGRP named mode

  Hi Friends,
  I build a vrf aware dmvpn using IPSec profile and I got the DMVPN and IPSec crypto as UP and able to do advertise using EIGRP.
  But the crypto and DMVPN breaks while I enabled the authentication in EIGRP named mode.
  Once i remove the authentication, it works fine.
  Any advice, how to solve this issue ? Any crypto commands need to add to make this work ?
  Regards
  Riyas Rasheed

  Hi,
  I attached the config I did, till I apply the authentication in EIGRP,
  once I applied the below config, the dmvpn will break
  ""router eigrp EIGRP
  add ipv4 autonom 45678
  af-interface tu0
  authentication mode hmac-sha256 KEY""
  See any more configs I need to add in the crypto to make the dmvpn  up.
  Thanks

• DMVPN + VRF-Aware IPSec

  Hi,
  Can we club DMVPN and VRF-Aware IPsec features ?
  Regards
  Mahesh

  Million thanks for this.
  This now works after disabling CEF on the public facing interface.
  Regards,
  Zahid

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy

  Hi!
  I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
  I'm in process of migrating some VPN tunnels with  from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
  The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
  Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
  Thanks!!
  //Cody

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

  Hi,
  I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
  Any ideas?
  Thanks Steve
  https://supportforums.cisco.com/thread/255085
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
  5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
  4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
  3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
  6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
  6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• Help with IPSEC? Can you apply crypto map to SVI?

  Hi All,
  Got a problem with a site-to-site IPSEC vpn implementation where one end is using SVI (eg: interface vlan 10).
  Does any body know if a crypto map can be applied to a SVI to bring up the IPSEC tunnel? It accepts the command but I can't pass any traffic to/from it.
  interface vlan 10
  crypto map MY-MAP
  Or do you need to apply the crypto map to a physical interface?
  I've gotten it working on a sub-interface (eg: interface GigabitEthernet0/0.11) but can't find any documentation that talks about applying it to a SVI and whether this will work. Anybody tried it using SVI's before?
  This is to be done on a Cisco 7606 (sup720).
  Thanks.
  Andy

  Hi Jerry,
  I'm not that cluey with all the hardware on the box itself, but here's what we have on the box.
  core1#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)
  cisco CISCO7606 (R7000) processor (revision 1.0) with 983008K/65536K bytes of memory.
  Processor board ID FOX092502NB
  SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
  Last reset from power-on
  SuperLAT software (copyright 1990 by Meridian Technology Corp).
  X.25 software, Version 3.0.0.
  Bridging software.
  TN3270 Emulation software.
  228 Virtual Ethernet/IEEE 802.3 interfaces
  124 Gigabit Ethernet/IEEE 802.3 interfaces
  4 Ten Gigabit Ethernet/IEEE 802.3 interfaces
  1917K bytes of non-volatile configuration memory.
  8192K bytes of packet buffer memory.
  65536K bytes of Flash internal SIMM (Sector size 512K).
  Configuration register is 0x2102
  core1#sh mod
  Mod Ports Card Type Model
  1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
  2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
  3 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
  4 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE
  5 2 Supervisor Engine 720 (Active) WS-SUP720-3B
  6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
  Mod Sub-Module Model Hw Status
  1 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
  2 Centralized Forwarding Card WS-F6700-CFC 2.1 Ok
  3 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
  4 Centralized Forwarding Card WS-F6700-CFC 4.1 Ok
  5 Policy Feature Card 3 WS-F6K-PFC3B 2.1 Ok
  5 MSFC3 Daughterboard WS-SUP720 2.3 Ok
  6 Policy Feature Card 3 WS-F6K-PFC3B 2.3 Ok
  6 MSFC3 Daughterboard WS-SUP720 3.0 Ok
  Based on the specs above, is this box capable of establishing a IPSEC tunnel by applying the crypto map to the SVI???
  Thanks.
  Andy