powered by Technology
RSS icon Email icon Bullet (black)

  • 7600 SPA-IPSEC-2G和SPA-5xGE-V2配合之小问题

    ========phanx.com=========
    Author:  phanx
    Updated: 2008-11-13
                        2009-03-08
    =========================
     
    某用户需要用SPA-IPSEC-2G在7600上实现到n多节点的IPSec Site-to-Site VPN, 由于7600引擎上的以太口做子接口配合IPSEC SPA不支持CBWFQ,
    故又弄了块SPA-5xGE-V2.

    说起SPA-5xGE-V2这卡也怪,在6500机框上要用7600-SIP-600来装,在7600上就非得用7600-SIP-400来装. 当然SPA-IPSEC-2G只能装在7600-SSC-400 上
    弄得之复杂.

    SPA-IPSEC-2G是采用的Vlan Connect方式,即一个在传统直连链路上将IPSEC加速模块嵌入进去.以前是用一个以太口的子接口连接对方.现在则将以太口子接口上的地址移到inside interface vlan上. 然后再用 outside vlan或者一个子接口去连接对方,最后通过connect方式将inside vlan和outside vlan/sub-interface桥接起来.

    以前是 sub-interface ——> 对端    或者 interface vlan & switchport trunk ——-> 对端

    interface Vlan2
     ip address 1.1.1.1 255.255.255.252
    interface G1/1
     switchport trunk encapsulation dot1q
     switchport mode trunk
    或者
    interface G4/0/0.2
     encapsulation dot1q 2
     ip address 1.1.1.1 255.255.255.252
     

    现在是 interface Vlan.inside —[connect engine]— [SPA-IPSEC-2G] — [connect vlan.inside] — vlan outside in switchoport trunk ——>对端

    或者是 interface Vlan.inside —[connect engine]— [SPA-IPSEC-2G] — [connect vlan.inside] — sub-interface.outside ——>对端

    interface Vlan102
     ip address 1.1.1.1 255.255.255.252
     crypto engine slot 2/0
    interface Vlan2
     crypto connect vlan 102
    interface G1/1
     switchport trunk encapsulation dot1q
     switchport mode trunk

    或者
    interface Vlan102
     ip address 1.1.1.1 255.255.255.252
     crypto engine slot 2/0
    interface G4/0/0.2
     encapsulation dot1q 2
     crypto connect vlan 102

    配置方式就说到这里. Guide上写的很明确,but 遇到一个Bug..

    CSCsg49757 Bug Details
    Combining Gig-Sub-intf & crypto connect & vlan with crypto engine
    Symptom:Unable to get the VPN configuration working with a GigabitEthernet SPA module. In addition, clear text connectivity outside the 7600/6500 does not workConditions:

    This problem only occurs if sub-interfaces are used on the GigabiotEthernet SPA module

    Workaround:

    Configure ‘cdp enable’ on the sub-interface

    什么意思呢,简单说就是用子接口方式做就ping不通对端,IPSec也不行…. 解决方法是在子接口下多配一个 cdp enable…. //寒…

    仿佛SPA的GE卡默认就没有开起cdp. 查了Bug Toolkit,发现还没有版本修复这个BUG的(到12.2(33)SRC1为止). 就用Workaround凑合吧.

    又遇到另外一个不知道是不是Bug的问题. 由于对端节点较多,所以子接口数目较多, 别人贴配置的时候一不留神把某几个子接口的配置多贴了一次.

    贴完发现crypto connect语句重复的地方有提示 xxxx already connect to vlan xxx, 然后发现重复的子接口下的OSPF neighber就起不来了.ping也能ping通对端,就是OSPF无法建立邻接关系. Debug看本端有OSPF的Hello出去,但是在对端Debug却没有收到. 无奈之下,no掉子接口下crypto connect语句重新配上,好了.

    依此办法对其他贴重复的子端口重配crypto connect语句, OSPF Neighbor就全部正常了.

    看来SIP/SPA的bug还真不少….!

     

    再补充一个SPA-IPSEC-2G的BUG,在Catalyst 6500 Series Switches Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases中提到:Note SPA-IPSEC-2G does not support TACACS+ authentication for IPsec. (CSCee33200)

    也就是说用SPA-IPSEC-2G来做Remote Access VPN的时侯没法用TACACS来做XAuth。我同事就很走运的遇到这个BUG了。

©2000-2009 phanx.com. All rights reserved.