Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
435
Views
0
Helpful
1
Replies

IOS12.2(33)SXI12 on Cat6500/Sup720/MSFC3 falsely claims HW does not support AH+ESP

Juergen Meier
Level 1
Level 1

‎10-17-2013 11:09 PM - edited ‎03-07-2019 04:06 PM

Hello,

Having a Cat6500-E with SUP720/MSFC3 and a 7600-SSC-400 with two SPA-IPSEC-2G crypto cards.

The old IOS (12.2(18)SXF8, old but stable) was working for years with crypto transform set of AH and ESP

     crypto ipsec transform-set myts ah-sha-hmac esp-aes 256

perfectly well with HW acceleration (tested thouroughly, over several years).

(Note that 15.2 does not support the SSC and SPA at all.)

The Safe Harbor IOS12.2(33)SXI12 claims (and refuses to accept) the combination of AH with ESP is not supported by the Hardware:

router(config)#crypto ipsec transform-set myts ah-sha-hmac esp-aes 256

Any combination of ESP and AH transform-set is not

supported by current hardware crypto engine.

The transform-set configuration will not be saved.

Please configure a valid transform-set.

which is false since the same hardware was doing just that for years.

This is a bit of a problem since AH with HMAC is the only way to detect tampering of the IPSEC packets transport headers!

Using ESP with HMAC (transform set ... esp-aes 256 esp-sha-hmac) is not a sufficient alternative because the HMAC only protects the payload (content of the EPS packet) - not the transport packet.

The crypto engine hardware does support AH+ESP, as proven with the old IOS and >1 GBps IPSEC throughput for real-life traffic.

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎10-21-2013 05:56 AM

If it did work on one version of software and does not work on this version of software then it is pretty clear proof that it is not really a limitation of the hardware. It sounds like that in the development process for this software that someone made a decision that they would not support the combination of ESP and AH. The best way to resolve this would be through a case with Cisco TAC. Failing that is there another version of software you could run that does support the combination?

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card