04-26-2013 05:29 AM - edited 02-21-2020 06:51 PM
Hi,
I'm trying to setup a GDOI based IPsec connection between a cisco AS901 (advanced Metro lic - asr901-universalk9-mz.152-2.SNI ) and a 7606-S.
What I see is that the ASR901 is capable of decrypting the IPsec packet but I cannot encrypt the ICMP packet back, so the question is if the AS901
can support IPsec in software. What I could not find in the docs on CCO.
kind regards, Michel
debug of the encrypted PING arrived from the 7606-s:
000370: *Apr 26 18:43:45.899: crypto_sb_oce_alloc_fwd_handle: created forw_handle=1239A860 using oce=0 type=0 for pak=A7B1AB4, track=12E58E74
000371: *Apr 26 18:43:45.899: Before decryption:
18014A60: 4500 00AC030F E..,..
18014A70: 0000FB32 49F10A00 66010101 011EB825 ..{2Iq..f.....8%
18014A80: A53B0000 00018372 5E1FD329 602CBF4D %;.....r^.S)`,?M
18014A90: 4818F701 690140A2 B108
. ...
000372: *Apr 26 18:43:45.903: crypto_sb_oce_alloc_fwd_handle: created forw_handle=1239A898 using oce=0 type=0 for pak=1211B368, track=12E58DA0
000373: *Apr 26 18:43:45.903: After decryption:
19C333D0: 45000064 003C0000 E..d.<..
19C333E0: FF01493D 0A006601 0101011E 08004E13 ..I=..f.......N.
19C333F0: 00380000 00000000 00DF2F20 ABCDABCD .8......._/ +M+M
19C33400: ABCDABCD ABCDABCD +M+M+M+M ...
000374: *Apr 26 18:43:45.903: post_crypto_ip_decrypt: Data just decrypted, 100 bytes
000375: *Apr 26 18:43:45.903: PostDecrypt: pak cef switch failed
000376: *Apr 26 18:43:45.903: crypto_ceal_post_decrypt_switch: calling process switch
000377: *Apr 26 18:43:45.903: Punt packet to process switch
000378: *Apr 26 18:43:45.907: ICMP: echo reply sent, src 1.1.1.30, dst 10.0.102.1, topology BASE, dscp 0 topoid 0
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
65 IPsec AES256 0 0 0 30.30.30.2
79 IPsec AES256 0 9 0 30.30.30.2
80 IPsec AES256 0 0 0 30.30.30.2
1003 IKE SHA+AES256 0 0 0 1.1.1.30
1004 IKE SHA+3DES 0 0 0
901#sh cry en brief
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: FFFFFFFF <------------------ ?????????????????
crypto engine state: installed
crypto engine in slot: N/A
04-26-2013 06:14 AM
Hello,
If you select Group Encrypted VPN (GETVPN) as technology in the feature navigator the ASR901 is not listed as supported platform.
The CLI might be enabled but there is no crypto accelerator.
Cheers,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide