Re: Must this interface be "process switching " mode in ipsec v

hblfzhangzhiwei · ‎08-08-2010

when I read cisco documentation , the documentation have a words :

"!−−− You must enable process switching for IPsec
!−−− to encrypt outgoing packets. ."

example :

interface Ethernet1
ip address 10.1.4.1 255.255.255.0
no ip route−cache

I have a test . The ipsec vpn can work well , when I don't use this command "no ip route-cache" .

Must this interface be "process switching " mode in ipsec vpn ?

Nagaraja Thanthry · ‎08-08-2010

Hello,

Can you please post the link to the document that specifies that you need to

enable process switching for IPSec VPN to work? In earlier versions of the

hardware/IOS, the encryption was done in software and hence the fast

switching of the packets was not supported. In the latest IOS images, the

feature was introduced to support CEF switching for VPN traffic.

Hope this helps.

Regards,

NT

Alexander Pai · ‎08-10-2010

Hi Zhiwei,

The interface does not require process switching in order to allow IPSec functionality, and should remain CEF enabled to achieve the best possible performance.

IPSec has been supported in the CEF path for some time. You may come across similar requirements regarding CEF support in older documents, where CEF wasn't fully integrated with all of the features of IOS. However, with all modern code and platforms, as a general rule of thumb, we should always enable CEF switching. The only time we should ever disable CEF is for advanced troubleshooting requiring packet inspection and analysis.

-Alex