Manualshelf

Technical information

ManualsBrandsCisco ManualsComputer equipmentWS-SVC-IPSEC-1= - IPSec VPN Services Module
21222324252627282930
28
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Configuring a VPN Using the VPN Module
Miscellaneous Guidelines
Follow these configuration guidelines for configuring a VPN using the VPN module:
Loopback interfaces
Attaching a crypto map set to a loopback interface is not supported. However, you can maintain an
IPSec security association database independent of physical ingress/egress interfaces with the VPN
module by entering the crypto map map-name local-address interface command.
If you apply the same crypto map set to each secure interface and enter the crypto map map-name
local-address interface command with interface as a loopback interface, you will have a single
security association database for the set of secure interfaces.
show crypto vlan command
When the interface VLAN belongs to the VPN module inside port, the show crypto vlan command
output is as follows:
Interface VLAN 2 on IPSec Service Module port 7/1 connected to Fa8/3
When there is a crypto connection, but the VPN module inside port does not include the interface
VLAN due to a misconfiguration, the output is as follows:
Interface VLAN 2 connected to Fa8/3 (no IPSec Service Module attached)
Note With Cisco IOS Release 12.2(14)SY, it is no longer possible to remove an interface VLAN
from the VPN module inside port while the crypto connection to the interface VLAN exists.
You must first remove the crypto connection.
show crypto engine configuration command
The show crypto engine configuration command does not show the VPN module slot number when
there is no crypto connection even if the module is installed in the chassis.
Supervisor engine switchover
After a supervisor engine switchover, the installed modules reboot and come back online. During
this period, the VPN module’s established tunnels (SAs) are temporarily lost and are reconstructed
after the VPN module comes back online. The reconstruction is through IKE (it is not instantaneous).
Switching module removal
When you remove a switching module that has some ports participating in crypto connection, the
crypto connections remain intact. When you reinsert the same type of switching module, the traffic
starts to run again on all the crypto connections. You must manually remove the crypto connections
that are associated with the removed switching module. You can enter the no crypto connect vlan
command from any interface when the associated physical port is removed.
Rebooting a VPN module with crypto connections
When you reboot a VPN module that has crypto connections, the existing crypto connections are
kept intact. The traffic starts running again when the VPN module reboots. When a crypto
connection exists but the associated interface VLAN is missing from the VPN module inside port,
the crypto connection is removed after the VPN module reboots.
When you remove a port VLAN or an interface VLAN with the no interface vlan command, the
associated crypto connection is also removed.
With Cisco 7200 Series Routers and other Cisco software crypto platforms, if you configure a crypto
map with an empty ACL (an ACL that is defined but has no lines) and attach the crypto map to an
interface, all traffic going out of that interface is dropped. However, with the VPN module, all traffic
goes out of the interface in the clear (unencrypted) state.