[c-nsp] Can you apply crypto map to SVI

Andy Saykao andy.saykao at staff.netspace.net.au
Tue Jun 16 21:43:27 EDT 2009 

Hi Ge,

Yes I see an active crypto engine in "software". 

core1#sh cry engine configuration

        crypto engine name:  unknown
        crypto engine type:  software
             serial number:  00016956
       crypto engine state:  installed
     crypto engine in slot:  N/A
                  platform:  Cisco Software Crypto Engine

   Encryption Process Info:
          input queue size:  500
           input queue top:  0
           input queue bot:  0
         input queue count:  0

   Crypto Adjacency Counts:
                Lock Count:  0
              Unlock Count:  0
        crypto lib version:  17.0.0
         ipsec lib version:  2.0.0

Does this mean that if the crypto map is applied to the SVI that the
IPSEC tunnel should be working (considering my IPSEC config is all
good).

Thanks.

Andy

-----Original Message-----
From: Ge Moua [mailto:moua0100 at umn.edu] 
Sent: Tuesday, 16 June 2009 7:03 PM
To: Andy Saykao
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Can you apply crypto map to SVI

Yes, this should work contigent on hw plaform.  If you do a "sh cry
engine" do you see an active crypto engine in sw or hw?  If not then the
crypto commands will never be invoked even though legal.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Andy Saykao wrote:
> Hi All,
>  
> Got a problem with a site-to-site IPSEC vpn implementation where one 
> end is using SVI.
>  
> Does any body know if a crypto map can be applied to a SVI to bring up

> the IPSEC tunnel? It accepts the command but I can't pass any traffic 
> to/from it.
>  
> interface vlan 10
>  crypto map MY-MAP
>  
> Or do you need to apply the crypto map to a physical interface? 
>  
> I've gotten it working on a sub-interface (eg: interface
> GigabitEthernet0/0.11) but can't find any documentation that talks 
> about applying it to a SVI and whether this will work.
>  
> Thanks.
>  
> Andy
>
> This email and any files transmitted with it are confidential and 
> intended  solely for the use of the individual or entity to whom they
are addressed.
> Please notify the sender immediately by email if you have received 
> this email by mistake and delete this email from your system. Please 
> note that  any views or opinions presented in this email are solely 
> those of the  author and do not necessarily represent those of the
organisation.
> Finally, the recipient should check this email and any attachments for

> the presence of viruses. The organisation accepts no liability for any

> damage caused by any virus transmitted by this email.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

More information about the cisco-nsp mailing list