Solved: Re: IPsec VTI setup using C9300

Yamen Yip · ‎01-31-2021

I am wondering why I cannot find there is a command option for

tunnel mode ipsec ipv4

during I setup a simple IPsec tunnel ? Can anyone help? Thank you.

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 41 C9300-24P 16.12.4 CAT9K_IOSXE INSTALL




Technology Package License Information:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage




9300-2(config-if)#tunnel mode ?
gre generic route encapsulation protocol
mpls MPLS encapsulations
sdwan SDWAN Overlay
tag-switching IP over Tag Switching encapsulation




crypto isakmp policy 1

encryption aes 256

hash sha256

authentication pre-share

group 2

lifetime 30000

crypto isakmp key xxxxxxx address 0.0.0.0        

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set vpn-transformset esp-aes 256 esp-sha256-hmac 

mode tunnel

!

!

crypto ipsec profile vpn-VTI

set transform-set vpn-transformset 

!

!

!

interface Tunnel0

ip address x.x.x.x 255.255.255.0

tunnel source x.x.x.x

tunnel destination x.x.x.x

tunnel protection ipsec profile vpn-VTI

end

Giuseppe Larosa · ‎02-01-2021

Hello @Yamen Yip ,

I don't think that IPSEC tunnels are supported in a Catalyst switch like C9300.

The commands can be present in the CLI parser but the device lacks an hardware based encryption / decryption engine for IPSec and so it should not be able to put user traffic over it.

There have been other similar threads the issue is that IOS XE CLI is so "unified" that allows you to issue commands not supported in this specific platform.

You will need a router for this.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎02-01-2021

Hello @Yamen Yip ,

I don't think that IPSEC tunnels are supported in a Catalyst switch like C9300.

The commands can be present in the CLI parser but the device lacks an hardware based encryption / decryption engine for IPSec and so it should not be able to put user traffic over it.

There have been other similar threads the issue is that IOS XE CLI is so "unified" that allows you to issue commands not supported in this specific platform.

You will need a router for this.

Hope to help

Giuseppe

Philippe Hermoso · ‎01-21-2022

Hi,

I was thinking like you, but reading the C9300 datasheet, and we can see that It may be supported:

IPSec encryption delivers secure end-to-end encrypted traffic between sites and connectivity to the Cloud. C9300X models support line rate IPSEC up to 100 Gbps delivering uncompromised secure connectivity.

So, I really want to know if it is supported or not !

Regards.

Philippe Hermoso

marce1000 · ‎01-21-2022

>...So, I really want to know if it is supported or not !

- I don't think so , attached you will find the output of the feature navigator https://cfnng.cisco.com/browse/routing/features

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ChristianQK · ‎09-14-2022

This is the point!

francisco14 · ‎04-13-2022

The

tunnel mode ipsec IPv4

command does not exist in the SW-C9300, in the "transform set" configure it in tunnel mode as you did, in the interface you put

tunnel mode GRE IP

and your traffic will be encrypted

sorry for my bad English

dave wolfendale · ‎03-02-2023

You dip stick, never apologise for this.

Your English is infinitely better than my - any other language, because I do not have one.