[c-nsp] Looking for stable IPSEC 12.3 T IOS for 7400

[Anton Yurchenko]

Luan Nguyen wrote:

>I was evaluating 12.3.8T3 for 7206VXR.  Seems decent.  There are some
>bugs that prevent me from using it though.  If you could wait, I would
>suggest hold off one or two more weeks to get the lastest T train :)
>
>  
>
Yes we tried this one, but also had problems many of the tunnels that 
used to work with previous IOS failed to come up, so we too switched back.
 
On the side note. When doing a tunnel between Checkpoint 4.1 and IOS 
IPSec. I cannot get it to work unless the crypto access-lists on both 
sides are the same as the network behind the Checkpoint. Say remote side 
has a 10.10.0.0/16 behind Checkpoint  and if I try so that only 
10.10.10.0/24 or just 10.10.10.10/32 goes through the tunnel, it does 
not work. I see a IPSEC Phase 2 SA mismatch in the logs. If we set it to 
10.10.0.0/16 all works fine. This is only with Checkpoint 4.1 and it 
happend already twice with diffrent sites. Anyone seen that happen?

>luan
>
>the sad thing is that we have to go with 12.3.10 mainline and losing
>out on tons of cool features on the T train
>
>
>On Fri, 10 Sep 2004 10:37:46 -0500, Anton Yurchenko
><phila at cascopoint.com> wrote:
>  
>
>>Hi,
>>
>>We have a 7400 terminating a bunch of IPSEC tunnels, it is currently
>>running c7400-ik9s-mz.123-4.T.bin ,12.3(4)T version. We`d like to
>>upgrade cause this one has an issue in respect if you remove an
>>access-list from crypto map or do a "no set peer" it`d crash the box.
>>Also looking for it to be a 12.3 in a T train, because it has a "show
>>crypto session" command which is really usefull to look at the  counters
>>of the packets going through the tunnel when troubleshooting. Anyone
>>have any sugestions?
>>
>>Thanks,
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>    
>>
>
>  
>