Sunday, January 03, 2010

IPsec VPN on Catalyst 6500 or 7600.

First thing you need to know is that IPsec VPN on 6500 and 7600 will not work from SXE.

I've seen this too many times, problems with IPsec VPN on 6500 or 7600 with VPN SPA (Shared Port Adapter) or VPNSM (Service Module).

The place you need to start is:
Cross reference if the modules, configurations you're using are supported in the first place. They are not supported usually for very good reason - Cisco didn't deem it important enough.

If this is a new setup and you do not need any VRF features I would recommend going for CCA (Crypto Connect Alternative). In this mode the crypto engine operates in VRF mode but everything can remain in global VRF.
Here's a decent config example:

Best software to run the VPN SPA with ... (3rd Jan 2010) SXI2a or SRC4, my personal types.
If you're considering VPN SPA as the platform for remote access, save yourself the trouble - use ASA instead (if you're into Cisco of course).

The problem with vlan 1
There is a known problem which is fixed by Cisco in a strange way. If you have vlan 1 configured on trunks to VPN SPA you might run into performance problems. So if you have problems with IPsec performance on 6500 and 7600 (only VRF and CCA mode) - remove vlan 1 from the trunks for VPN module (interface gigabitEthernet Module_slot/Subslot/0 and 1).
The fix implemented by Cisco:
For new installations do not add vlan 1 to the trunks for VPN SPA...

edited: 17th Jun 2010

No comments: