Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2219
Views
5
Helpful
6
Replies

IPSec Tunnel

Muhammad Tanveer
Level 1
Level 1

‎02-04-2020 12:56 AM - edited ‎02-21-2020 09:51 PM

Dear Concern,

 

Presently we have configure GRE tunnel on my switch 3650-48-TS form my HO site to Remote site-A and site-B, both the tunnels are working fine.

Last week we shifted GRE to ipsec over GRE on my Cisco 3650-48-TS switch with IOS version 16.3.3 on VIP interface (using HSRP) but facing the problem while establishing both the tunnels simultaneously.

ACLs are created with keywork any

permit 172.16.1.0 0.0.0.255 any

 

We have created multiple ACL for both remote sites and separate ISAkmp polices called in same crypto map.

While establishing tunnel phase 2 it creation it creates problem.

 

Currently we able to communicate one site at time.

 

Kindly find attached diagram

 

Your opinion about and suggestion weather my hardware device (Cisco switch 3650) with current ios support the scenario or not.

 

Regards

 

 

Best Regards,

Muhammad Tanveer
Labels:
Preview file
38 KB
0 Helpful
6 Replies 6

Josue Brenes
Cisco Employee
Cisco Employee

‎02-08-2020 11:25 PM

Hi Muhammad,

If both VPN's contain the same interesting traffic(crypto map ACL: permit 172.16.1.0 0.0.0.255 any), it is normal that only one VPN would be up at a time.

It would mean that the interesting traffic will be overlapping on both crypto maps and only one will take over.

Workaround: To define the remote networks on the crypto ACL's instead of using "any" as destination.

For further t-shooting we would need debugs to determine why the VPN would not come up:

debug crypto isakmp

debug crypto ipsec

 

Rate if it helps.
Regards,
Josue Brenes
TAC - VPN Engineer.

Muhammad Tanveer
Level 1
Level 1
In response to Josue Brenes

‎02-11-2020 10:51 PM

Dear  Josue,

Thanks for your time and technical advice !!!

Please let me confirm first that my hardware and OS support the current scenario which have mentioned in previous discussion than we will move further into configuration side.

Regards
Muhammad Tanveer
Best Regards,

Muhammad Tanveer
0 Helpful

S Kumar
Level 1
Level 1
In response to Muhammad Tanveer

‎04-26-2023 12:17 PM

Hi Muhammad,

I have the similar requirement of creating a GRE tunnel protected with IPSec between two C3650 running on IOS 16.6.7-ipservicesk9.

I am able to configure the tunnel and it is up and it is passing traffic. Tunnel interface does not show any in/out packets. cryto ipsec is also not showing any encaps/decaps so I am not sure if switch is encrypting anything.

Do you know if IPSec is support on C3650?

0 Helpful

Amine ZAKARIA
Spotlight
Spotlight
In response to S Kumar

‎04-27-2023 06:34 PM

Hello S Kumar,
AmineZAKARIA_0-1682645301427.png

Check the unsupported features section :

Release Notes for Cisco Catalyst 3650 Series Switches, Cisco IOS XE Everest 16.6.x - Cisco

HTH!

0 Helpful

S Kumar
Level 1
Level 1
In response to Amine ZAKARIA

‎04-28-2023 06:05 PM

Hey Amine,

Appreciate your help, the document you shared is very helpful and cleared all the confusion.
Do you happen to know similar document for Cisco 1921 IOS 15.5.3 with SEC license? I searched but could not fine it. I have these 1921 sitting on shelf, I might use then for this tunnel if IPSEC is supported. Your help would be much appreciated.

0 Helpful

Amine ZAKARIA
Spotlight
Spotlight
In response to S Kumar

‎04-30-2023 09:36 PM

Hello Kumar,

AmineZAKARIA_0-1682915331669.png

Search for ipsec keyword
Cisco 1921 Series Integrated Services Routers Data Sheet - Cisco

Also check :
End-of-Sale and End-of-Life Announcement for the Cisco 1941 and 1921 Integrated Services Routers - Cisco

Make sure the 1921 can handle the ipsec throughput you are trying to achieve.

Don't forget to rate helpful posts!

Regards!

0 Helpful
Customers Also Viewed These Support Documents