Solved: Cisco 8200 Router - crypto isakmp policy command missing - IPSEC VPN

dlauterbach · ‎08-29-2023

I have a new Cisco 8200 Router and I am trying to implement IPSEC tunnel and do not see the correct options available. Below are the only options:

crypto ?
RSA-key-pair RSA key pair
key Long term key operations
pki Public Key components
provisioning Secure Device Provisioning
wui Crypto HTTP configuration interfaces

Here is the Show Ver

Cisco IOS XE Software, Version 17.06.01a
Cisco IOS Software [Bengaluru], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.1a, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Sat 21-Aug-21 03:27 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2021 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: 17.6(6r)

M-USWPB-WR01-C8200 uptime is 3 days, 21 hours, 53 minutes
Uptime for this control processor is 3 days, 21 hours, 54 minutes
System returned to ROM by PowerOn
System restarted at 10:27:03 EDT Fri Aug 25 2023
System image file is "bootflash:c8000be-universalk9.17.06.01a.SPA.bin"
Last reload reason: PowerOn

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Technology Package License Information:

-----------------------------------------------------------------
Technology Type Technology-package Technology-package
Current Next Reboot
-----------------------------------------------------------------
Smart License Perpetual None None
Smart License Subscription None None

The current crypto throughput level is 250000 kbps

Smart Licensing Status: Registration Not Applicable/Not Applicable

cisco C8200-1N-4T (1RU) processor with 3747220K/6147K bytes of memory.
Processor board ID FJC27201L9W
Router operating mode: Autonomous
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
7573503K bytes of flash memory at bootflash:.
15253504K bytes of M.2 USB at harddisk:.

Configuration register is 0x2102

What am I missing?

Thanks in advance for the assistance!

Rob Ingram · ‎08-29-2023

@dlauterbach have you correctly enabled licensing on the router?

https://www.cisco.com/c/en/us/td/docs/routers/cloud_edge/c8300/software_config/cat8300swcfg-xe-17-book/m-available-licenses.html

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/217047-enable-license-boot-level-and-addon-on-c.html

View solution in original post

Rob Ingram · ‎08-29-2023

@dlauterbach have you correctly enabled licensing on the router?

https://www.cisco.com/c/en/us/td/docs/routers/cloud_edge/c8300/software_config/cat8300swcfg-xe-17-book/m-available-licenses.html

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/217047-enable-license-boot-level-and-addon-on-c.html

dlauterbach · ‎08-29-2023

Thank you Rob that was the issue! Appreciate the assistance!

YetinayetBitew87488 · ‎10-04-2023

Hi @Rob Ingram

Thanks for your reply. I tried to go over the documents but i don't exactly understand what i should do. Would you please let me know the exact thing i should do? Attached is what i see on my router...I appreciate your fast response, thanks alot

gajownik · ‎10-04-2023

Which image did you install on the router? Please make sure that you don't have universalk9_npe as NPE images (No Payload Encryption) don't support crypto functions.

YetinayetBitew87488 · ‎10-04-2023

Hi @gajownik

Thanks for the reply.

------------------ show version ------------------

Cisco IOS XE Software, Version 17.06.03a
Cisco IOS Software [Bengaluru], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 17.6.3a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Fri 08-Apr-22 04:52 by mcpre

It seems my image is NPE. Is installing another image my only option? if so, What image should i use please? Thanks.

gajownik · ‎10-04-2023

Yes, installing a proper image without _npe suffix is the only way to enable IPsec on this router.

I can't recommend any specific image version, but I would suggest using images with extended support as they have most of the bug fixes and are much longer supported by TAC and development team:
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-16/bulletin-c25-2378701.html

You can also try images which are suggested on the download page - they have a star next to the image version. You can find images for your platform here:
https://software.cisco.com/download/home/286327716/type/282046477/

YetinayetBitew87488 · ‎10-04-2023

Noted. Thanks very much. You are a life saver!

YetinayetBitew87488 · ‎10-04-2023

Hi @dlauterbach

Would you please let me know how you sorted out your issue? I ran in to the same problem just now. Your fast response is appreciated. Thanks alot.