Showing results for 
Search instead for 
Did you mean: 

Cisco 9300, IPSEC


i read with attention, problems with IP CEF.

I've got a trouble, and do not know how to solve it.

Platform :

Cisco IOS XE Software, Version 16.12.01
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.12.1, RELEASE SOFTWARE (fc4)
Technical Support:
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Tue 30-Jul-19 19:26 by mcpre


Licence network advantage

crypto isakmp policy 1
encryption aes 256
hash sha256
authentication pre-share
group 5
lifetime 7800
crypto isakmp key toto address XX.16.YY.250
crypto ipsec transform-set LSI esp-aes 256 esp-sha256-hmac
mode tunnel
crypto map IPSEC 1 ipsec-isakmp

set peer XX.16.YY.250
set transform-set LSI
set pfs group5
match address trafic_xx
reverse-route static

ip access-list extended trafic_xx
50 permit ip any

interface vlan 800
ip address XX.16.YY.200



sh crypto ipsec sa

remote ident (addr/mask/prot/port): (
current_peer port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: XX.16.YY.200, remote crypto endpt.: XX.16.YY.250
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Vlan800
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:



I try to connect a Mikrotik with IPSEC. Trafic is encapsulated from the mikrotik (xxx.16.yy.250) trought the Cisco, and deliver to the network.


But no trafic from PCs connected to my entire network, can generate trafic, passing trhu IPSEC VPN.


sh crypto route

Routes created in table GLOBAL DEFAULT [1/0] via XX.16.YY.250 tag 0 count 1 rtid 115
on Vlan800 RRI S


sh ip cef ...

next hop is not the same as tunnel endpoint.


What's wrong ?

23 Replies 23

cisco 9200 : debug ip packet


*Nov 9 03:08:07.780: FIBipv4-packet-proc: route packet from Vlan100 src dst
*Nov 9 03:08:07.780: FIBfwd-proc: packet routed by adj to Vlan900
*Nov 9 03:08:07.780: FIBipv4-packet-proc: packet routing succeeded
*Nov 9 03:08:07.780: IP: tableid=0, s= (Vlan100), d= (Vlan900), routed via FIB
*Nov 9 03:08:07.780: FIBipv4-packet-proc: route packet from (local) src dst
*Nov 9 03:08:07.780: FIBfwd-proc: packet routed by adj to Vlan100
*Nov 9 03:08:07.780: FIBipv4-packet-proc: packet routing succeeded
*Nov 9 03:08:07.781: IP: tableid=0, s= (local), d= (Vlan100), routed via FIB
*Nov 9 03:08:07.781: IP: s= (local), d= (Vlan100), len 56, sending


There's a mistake.



you must be missing something fundamental. In your drawing, the Mikrotik has IP address, and the Cisco ?


Also, you posted this earlier:


Routes created in table GLOBAL DEFAULT [1/0] via XX.16.YY.250 tag 0 count 1 rtid 115
on Vlan800 RRI S


Make sure your Mikrotik has IP address

I'm sorry, is a typo error.
Mikrotik as and Cisco

I found that external traffic is routed and not encrypted by ipsec tunnel.

The Mikrotik needs to have IP address, not 250.

Don't worries about ip address.
Ipsec tunnel goes Up, and from routers to routers is possible to ping each

It s possible from mikrotik LAN to ping cisco router Internal address or
cisco router Lan ( see with wireshark) but no replies came.

And from cisco LAN to Mikrotik, trafic is bot encrypted . It is only
routed.. ( debug ip packet).

Do i have to create a gre tunnel over iosec from cisco 9200 l3 ?

Hello ,

it is unlikely that a Catalyst switch can support IPSEC encryption for user traffic

You should use a router instead.

The Cat 9300 is missing dedicated hardware for  IPSEC encryption / decryption and it might support IPSec just for management traffic ( traffic originated or destinated to the switch CPU ) that is what you have seen up to now.


Hope to help



I agree. I could not find a single configuration example of site to site VPN support on the Catalyst 9K. There was only mention of SSH for management.


I guess the confusing thing is that the IOS takes all the commands, but there is no support. Maybe Cisco should somehow include warnings when you type a command that is not actually supported...

Mark Sparling

From what it looks like with the **new** Catalyst 9300x series, not the non-x series has the hardware support for IPsec VPN -  I can't find any configuration guide besides using it with OSPF with IPsec.

Thks for the article, Having the same issue here, it seems like the new brand 9300X support VPN IPSEC feature

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers