Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1154
Views
0
Helpful
9
Replies

GRE over IPSEC with Encryption module

Go to solution
ssweehinlew
Level 1
Level 1

‎06-22-2011 05:54 AM - edited ‎03-04-2019 12:47 PM

To configure the GRE tunnel over IPSEC with OSFT via Encryption module from Cisco Router 3845, I have few queries:

1. Does the router 3845 support hot swap for encryption module?

2. Does the router require to be rebooted after plug in encryption module?

3. Any samples configuration for GRE tunnel over IPSEC?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to paolo bevilacqua

‎06-22-2011 06:30 AM

Hi,

The Cisco 3845 and 3845-NOVPN router supports online insertion and removal (OIR, or hot swap) of network modules. Remember these 3845 and 3845-NOVPN router supports OIR with similar modules only. If you remove a network module, along with any installed WAN or voice interface cards, install another module and card combination exactly like it.

See the below link may help you for sample config for GRE over IPSec with OSPF.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml


Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎06-22-2011 06:24 AM

1 no

2 yes

3 plenty on cisco.com, just use search box.

Note, adding encryption module is not needed. The 3845 already has one embedded on motherboard.

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to paolo bevilacqua

‎06-22-2011 06:30 AM

Hi,

The Cisco 3845 and 3845-NOVPN router supports online insertion and removal (OIR, or hot swap) of network modules. Remember these 3845 and 3845-NOVPN router supports OIR with similar modules only. If you remove a network module, along with any installed WAN or voice interface cards, install another module and card combination exactly like it.

See the below link may help you for sample config for GRE over IPSec with OSPF.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml


Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to Latchum Naidu

‎06-22-2011 06:56 AM 

 The Cisco 3845 and 3845-NOVPN router supports online insertion and removal (OIR, or hot swap) of network modules. Remember these 3845 and 3845-NOVPN router supports OIR with similar modules only. If you remove a network module, along with any installed WAN or voice interface cards, install another module and card combination exactly like it.

Correct, however OP has specifically asked about OIR for encryption modules, since optional encryption modules are AIM and not NM, the answers is NO.

0 Helpful

Go to solution
ssweehinlew
Level 1
Level 1
In response to paolo bevilacqua

‎06-22-2011 06:50 AM

Want to reduce the CPU utilization so adding in the encryption module..

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to ssweehinlew

‎06-22-2011 06:52 AM

As mentioned above already: ISR routers have an embedded encryption module and do not use CPU for the task.

Please remember to rate useful posts clicking on the stars below.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to ssweehinlew

‎06-22-2011 10:26 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind.   Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

The 3845's base crypto module, if I recall correctly, doesn't offer quite as much performance as the optional crypto module, but would be surprised if you're doing that much crypto that you need the extra capacity.

You may want to post your processor utilization (sorted).

As to reducing CPU load, have you used ip tcp mss-adjust to help your router avoid needing to deal with fragmented packets for TCP?

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to Joseph W. Doherty

‎06-22-2011 11:37 AM

Hi,

The whole idea behind having additional VPN encryption module is that to not effect the actual CPU load.
Like above these routers have an seperated embedded encryption module and do not use the actual device CPU for the task.


Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

Go to solution
ssweehinlew
Level 1
Level 1

‎06-23-2011 10:00 PM

Hi, Thank you for all the replies.

For the commnad as show below, is the address Peer_address same as  tunnel destination Peer_Physical_Interface_IP_Address?

crypto isakmp key 6 PresharedKey  address Peer_address

crypto IPsec profile toRemote

interface Tunnel0

tunnel source Physical_Interface_IP_address

tunnel destination Peer_Physical_Interface_IP_Address

tunnel mode ipsec ipv4

tunnel protection ipsec profile toRemote

0 Helpful

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to ssweehinlew

‎06-23-2011 10:11 PM

Hi,

   Yes, it's a peer physical internet ip address that is routeable but not routed out of the tunnel interface itself.

HTH,

Toshi

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card