Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
0
Helpful
5
Replies

IPSEC w/ 2 FCIP tunnels using a single gigE port

cdayton
Level 1
Level 1

‎06-15-2006 09:49 AM

A gig1/1 interface on a 9216i is servicing 2 FCIP tunnels (port 3225 & 3737) from 2 other 9216i switches. The FCIP ISL connecting to port 3225 has IPSEC configured and is working (trunking). The FCIP ISL connecting to port 3737 was trunking prior to configuring IPSEC for it, but now with IPSEC configured it is now broken. Looking through the IPSEC trouble shooting section, I'm not seeing any conflicting IPSEC/IKE parameters.

Is it possible to have IPSEC services working for 2 FCIP ISLs connecting to a single gig port? If so, I'm at a loss on how to properly configure it.

Thanks, Craig

Labels:
0 Helpful
5 Replies 5

tblancha
Cisco Employee
Cisco Employee

‎06-16-2006 08:43 AM

Since you can only have one crypto map domain per physical interface, you will need to have the access-list for both remote FCIP endpoints in the ACL. With that one IPSEC crypto map, all FCIP tunnels terminating on that interface will IPSEC enabled. And so, in your case, all 3 switches need to be IPSEC enabled with the same keys and correct ACL's

0 Helpful

cdayton
Level 1
Level 1
In response to tblancha

‎06-19-2006 09:09 AM

Understand and that is the case there is only one crypto map assigned with the appropriate ACL, but still the connecution using port 3737 will not establish a connection. Here cmap definintion.

Crypto Map "cmap30" 10 ipsec

Peer = 211.175.105.69

IP ACL = acl30

permit ip 87.61.121.2 255.255.255.255 211.175.105.69 255.255.255.255

permit ip 87.16.121.2 255.255.255.255 211.175.105.85 255.255.255.255

Transform-sets: tfs30,

Security Association Lifetime: 450 gigabytes*/3600 seconds*

(* global configuration value)

PFS (Y/N): Y

PFS Group: group5

Crypto Map "cmap30" 20 ipsec

Peer = 211175.105.85

IP ACL = acl30

permit ip 87.61.121.2 255.255.255.255 211.175.105.69 255.255.255.255

permit ip 87.16.121.2 255.255.255.255 211.175.105.85 255.255.255.255

Transform-sets: tfs30,

Security Association Lifetime: 450 gigabytes*/3600 seconds*

(* global configuration value)

PFS (Y/N): Y

PFS Group: group5

Interface using crypto map set cmap30:

GigabitEthernet1/1

0 Helpful

tblancha
Cisco Employee
Cisco Employee
In response to cdayton

‎06-19-2006 11:44 AM

Yes, I was able to get this up. So, from here, it might be best to create a TAC case or with the OSM support and upload all 3 show tech details. Or you can upload all 3 here to the NetPro.

0 Helpful

cdayton
Level 1
Level 1
In response to tblancha

‎06-20-2006 10:09 AM

Okay, I'll open a TAC case.

We might just decide to use the unused gig1/2 interface too. Just trying to save $ on fibre run since the switch is located at a co-hosted site.

Thanks, Craig

0 Helpful

cdayton
Level 1
Level 1
In response to cdayton

‎06-25-2006 05:05 AM

Its my understanding that one must use sub-interfaces on a shared GE interface for IPSEC to work correctly. A different crypto map will get assigned to each sub-interface. Also, ethernet trunking must be enabled too.

This solution has not been attempted yet.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card