Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
3
Replies

WAN interface is not getting DHCP address if crypto ipsec profile enable

rec stalmaski
Level 1
Level 1

‎07-13-2016 07:36 PM - edited ‎03-07-2019 12:12 AM

I run into situation wherin branch router was configured to be connected in WAN-dhcp based ISP. This branch router is using IPSEC protecting to traffic towards HQ.

This is my first encouter and my observation was, if i crypto profile is configured to WAN interface, it will not  obtain IP address from DHCP but after I remove crypto, it will obtain DHCP ip address and then i need to put back the crypto profile. My concern is what if in future router is rebooted crypto profile is present in interface, then it wouldn't get ip address unless profile was remove then after obtaining IP again, I need to manually put the profile.anyone of you guys run into situation like this before?

!

WAN <interface>

ip-address dhcp

tunnel mode ipsec ipv4

tunnel source LoopbackX

tunnel protection ipsec profile Branch-IPSEC
!

Labels:
0 Helpful
3 Replies 3

nagasheshu2010
Level 1
Level 1

‎07-14-2016 02:44 AM

We have done the same configuration in CISCO891-K9 router with IOS version C890 Software (C890-UNIVERSALK9-M), Version 15.2(3)T1, RELEASE SOFTWARE (fc1)

We have had no issues, we have already had Crypto  config under the interface and then we added IP address dhcp command. Interface picked up IP address and crypto came up after that.

Not sure if it is IOS dependent, what device and IOS you are on?

Regards,

Sheshu.

0 Helpful

rec stalmaski
Level 1
Level 1
In response to nagasheshu2010

‎07-14-2016 05:43 AM

Hi Nagesh,

I am using CISCO1941/K9  and both tried Version 15.2(4) and SPA.153-3.M but getting same. I will test in other hardware model after i have  available.

I attached test which i am using. my assumption is that once interface has crypto profile, it should be encrypted and will not received the broadcast response from DHCP based device. However as per your response, it was tested good from your end. Maybe i am missing something?  

Preview file
3 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to rec stalmaski

‎07-15-2016 11:00 PM

I believe that the issue here is that when you use tunnel protection ipsec profile that it treats all traffic going through the interface as traffic to encrypt, including your dhcp traffic. I believe that this feature is intended to be used on tunnel interfaces and not on the physical interface. 

The origonal post indicates that the intent is that branch will encrypt traffic to HQ. But with this config on the physical interface it will encrypt all traffic. The solution would be to configure a tunnel to carry traffic to HQ and put the ipsec profile on the tunnel. 

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card