- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2021
03:00 AM
- last edited on
09-18-2022
10:28 PM
by
Translator
I am wondering why I cannot find there is a command option for
tunnel mode ipsec ipv4
during I setup a simple IPsec tunnel ? Can anyone help? Thank you.
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 41 C9300-24P 16.12.4 CAT9K_IOSXE INSTALL
Technology Package License Information:
------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage
9300-2(config-if)#tunnel mode ?
gre generic route encapsulation protocol
mpls MPLS encapsulations
sdwan SDWAN Overlay
tag-switching IP over Tag Switching encapsulation
crypto isakmp policy 1
encryption aes 256
hash sha256
authentication pre-share
group 2
lifetime 30000
crypto isakmp key xxxxxxx address 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpn-transformset esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
crypto ipsec profile vpn-VTI
set transform-set vpn-transformset
!
!
!
interface Tunnel0
ip address x.x.x.x 255.255.255.0
tunnel source x.x.x.x
tunnel destination x.x.x.x
tunnel protection ipsec profile vpn-VTI
end
Solved! Go to Solution.
- Labels:
-
Catalyst Switch
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2021 02:37 AM
Hello @Yamen Yip ,
I don't think that IPSEC tunnels are supported in a Catalyst switch like C9300.
The commands can be present in the CLI parser but the device lacks an hardware based encryption / decryption engine for IPSec and so it should not be able to put user traffic over it.
There have been other similar threads the issue is that IOS XE CLI is so "unified" that allows you to issue commands not supported in this specific platform.
You will need a router for this.
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2021 02:37 AM
Hello @Yamen Yip ,
I don't think that IPSEC tunnels are supported in a Catalyst switch like C9300.
The commands can be present in the CLI parser but the device lacks an hardware based encryption / decryption engine for IPSec and so it should not be able to put user traffic over it.
There have been other similar threads the issue is that IOS XE CLI is so "unified" that allows you to issue commands not supported in this specific platform.
You will need a router for this.
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2022 07:38 AM
Hi,
I was thinking like you, but reading the C9300 datasheet, and we can see that It may be supported:
IPSec encryption delivers secure end-to-end encrypted traffic between sites and connectivity to the Cloud. C9300X models support line rate IPSEC up to 100 Gbps delivering uncompromised secure connectivity.
So, I really want to know if it is supported or not !
Regards.
Philippe Hermoso
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2022 11:39 PM
>...So, I really want to know if it is supported or not !
- I don't think so , attached you will find the output of the feature navigator https://cfnng.cisco.com/browse/routing/features
M.
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2022 09:48 AM
This is the point!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-13-2022
10:00 AM
- last edited on
09-18-2022
10:30 PM
by
Translator
The
tunnel mode ipsec IPv4
command does not exist in the SW-C9300, in the "transform set" configure it in tunnel mode as you did, in the interface you put
tunnel mode GRE IP
and your traffic will be encrypted
sorry for my bad English
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2023 02:04 AM - edited 03-02-2023 02:05 AM
You dip stick, never apologise for this.
Your English is infinitely better than my - any other language, because I do not have one.
