cisco 2801, ipsec problem with onboard accelerator


I need to connect two 2801 over fast ethernet with ipsec encryption. I also need ospf so I configuring gre over ipsec:

crypto isakmp policy 15 encr 3des hash md5 authentication pre-share group 2 lifetime 3600 crypto isakmp key hryakwesdxc address ! ! crypto ipsec transform-set hryak ah-sha-hmac esp-aes 256 mode transport ! crypto map hryak local-address FastEthernet0/1 crypto map hryak 10 ipsec-isakmp set peer set transform-set hryak set pfs group2 match address 187 qos pre-classify

interface Tunnel0 description Hohryak-P100-GRE bandwidth 10240 ip address ip mtu 1440 ip route-cache policy no ip route-cache cef ip route-cache flow no ip mroute-cache qos pre-classify tunnel source FastEthernet0/1 tunnel destination tunnel flow egress-records

This configuration doesn't work- ping work, but only small ping, packets larger than 100 can't reach another router over ipsec.

If I add compression to transform set crypto ipsec transform-set hryak ah-sha-hmac esp-aes 256 comp-lzs

than all is OK except of performance- I get just about 10Mbit throughput and 100% cpu load- with IP Input.

I guess that compression is done on CPU. I don't need compression anyway :-)

btw, all is OK with physical channel- if I remove crypto I get about

50Mbit throughput.

Could you tell me what is wrong? How can I get ipsec working without compression? May be this is IOS problem (I use 12.4.17a )?

Reply to
Dmitry Melekhov
Loading thread data ...


I see following on one router:

*Nov 26 09:50:27.134 SAMT: %CRYPTO-4-RECVD_PKT_MSG_LEN_ERR: decapsulate: packet has bad bad pad length for packet: decrypt error? length destadr=, prot=50, len=8 *Nov 26 09:50:27.134 SAMT: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=4

What does it mean?

Reply to
Dmitry Melekhov

Hi, there

You could try reducing the MTU on the tunnel interface to 1360.

Also, where is the crypto map applied? I don't see it applied either to the physical interface or the tunnel interface here.

Reply to
Mike Rahl

It doesn't help :-( p100-cr2801-1#ping

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =3D 4/4/4 ms p100-cr2801-1#ping Protocol [ip]: Target IP address: Repeat count [5]: Datagram size [100]: 200 Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 200-byte ICMP Echos to, timeout is 2 seconds: =2E.... Success rate is 0 percent (0/5)

Now I'm trying to use crypto tunnel with the same result :-(

interface Tunnel0 ip address ip mtu 1360 no ip route-cache cef no ip route-cache ip ospf cost 2 ip ospf mtu-ignore tunnel source tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile hryak-p end

the same config on another end.


p100-cr2801-1#sh crypto sess Crypto session current status

Interface: Tunnel0 Session status: UP-ACTIVE Peer: port 500 IKE SA: local remote Active IPSEC FLOW: permit ip Active SAs: 2, origin: crypto map

I can't understand why it works OK with compression, and all is OK without encryption...

Reply to
Dmitry Melekhov

On 28 =D0=BD=D0=BE=D1=8F=D0=B1, 21:46, Dmitry Melekhov wro= te:


btw, it is very strange, but if I set ip mtu less then 120 on far end (not otherwise) than large (1500) pings pass. looks like something is wrong with ethernet channel. but I can't understand what- unencrypted traffic has no problems on this channel...

Reply to
Dmitry Melekhov

OK. Looks like this is cisco IOS bug. I replaced 2801 with 2811 on one side and get channel worked for some time. Than 2811 hangs :-) , so I replaced ios in 2801 to older one (12.4.13d afair). Now channel works for more than hours. Only "problem" is many messages in 2811 log: Nov 30 08:55:51.188 SAMT: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer Nov 30 08:57:40.754 SAMT: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer Nov 30 08:59:40.776 SAMT: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer

I'm shure this is bug too...

Reply to
Dmitry Melekhov Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.