Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
1
Replies

ASR901 support IPsec gdoi

michelbijnsdorp
Level 1
Level 1

‎04-26-2013 05:29 AM - edited ‎02-21-2020 06:51 PM

Hi,

I'm trying to setup a GDOI based IPsec connection between a cisco AS901 (advanced Metro lic - asr901-universalk9-mz.152-2.SNI ) and a 7606-S.

What I see is that the ASR901 is capable of decrypting the IPsec packet but I cannot encrypt the ICMP packet back, so the question is if the AS901

can support IPsec in software. What I could not find in the docs on CCO.

kind regards, Michel

debug of the encrypted PING arrived from the 7606-s:

000370: *Apr 26 18:43:45.899: crypto_sb_oce_alloc_fwd_handle: created forw_handle=1239A860 using oce=0 type=0 for pak=A7B1AB4, track=12E58E74

000371: *Apr 26 18:43:45.899: Before decryption:

18014A60:                       4500 00AC030F            E..,..

18014A70: 0000FB32 49F10A00 66010101 011EB825  ..{2Iq..f.....8%

18014A80: A53B0000 00018372 5E1FD329 602CBF4D  %;.....r^.S)`,?M

18014A90: 4818F701 690140A2 B108              

H.w.i.@"1

.       ...

000372: *Apr 26 18:43:45.903: crypto_sb_oce_alloc_fwd_handle: created forw_handle=1239A898 using oce=0 type=0 for pak=1211B368, track=12E58DA0

000373: *Apr 26 18:43:45.903: After decryption:

19C333D0:                   45000064 003C0000          E..d.<..

19C333E0: FF01493D 0A006601 0101011E 08004E13  ..I=..f.......N.

19C333F0: 00380000 00000000 00DF2F20 ABCDABCD  .8......._/ +M+M

19C33400: ABCDABCD ABCDABCD                    +M+M+M+M         ...

000374: *Apr 26 18:43:45.903: post_crypto_ip_decrypt: Data just decrypted, 100 bytes

000375: *Apr 26 18:43:45.903: PostDecrypt: pak cef switch failed

000376: *Apr 26 18:43:45.903: crypto_ceal_post_decrypt_switch: calling process switch

000377: *Apr 26 18:43:45.903: Punt packet to process switch

000378: *Apr 26 18:43:45.907: ICMP: echo reply sent, src 1.1.1.30, dst 10.0.102.1, topology BASE, dscp 0 topoid 0

Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
   65  IPsec   AES256                    0        0        0 30.30.30.2

  79  IPsec   AES256                    0        9        0 30.30.30.2
   80  IPsec   AES256                    0        0        0 30.30.30.2
1003  IKE     SHA+AES256                0        0        0 1.1.1.30
1004  IKE     SHA+3DES                  0        0        0

901#sh cry en brief

        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  FFFFFFFF      <------------------ ?????????????????
       crypto engine state:  installed
     crypto engine in slot:  N/A

Labels:
0 Helpful
1 Reply 1

olpeleri
Cisco Employee
Cisco Employee

‎04-26-2013 06:14 AM

Hello,

If you select Group Encrypted VPN (GETVPN) as technology in the feature navigator the ASR901 is not listed as supported platform.

The CLI might be enabled but there is no crypto accelerator.

Cheers,

0 Helpful
Customers Also Viewed These Support Documents