Solved

How can I confirm if this Cisco IOS c2800nm-spservicesk9-mz.124-9.T7.bin supports ipsec

Posted on 2008-10-23
8
2,877 Views
Last Modified: 2008-10-23
I have a Cisco 2800 series router with the following IOS c2800nm-spservicesk9-mz.124-9.T7.bin. I need to configure an IPsec peer to peer vpn on it. When I enter the command  " crypto ? " all i get is :

ca            Certification authority
engine        Enter a crypto engine configurable menu
key           Long term key operations
pki           Public Key components
provisioning  Secure Device Provisioning
wui           Crypto HTTP configuration interfaces

Does that mean the ios does not support IPsec? How do I confirm what feature this particular IOS supports?
0
Comment
Question by:exagger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 23

Expert Comment

by:Mysidia
ID: 22785562
Cisco feature navigator, search by image name.
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

And yes, this particular image appears to have some IPsec features...

http://tools.cisco.com/ITDIT/CFN/Dispatch?HMR_DDM=0&HIM_Id=924498&HDDMPlatFamDet=270&HDDMFeatSetDet=1383&HPN_Text=&Q1Submit=CONTINUE&act=rlsSelect&task=display

The crypto command in most versions  is used primarily to create and manage keys, check the available subcommands
i.e.
crypto ca ?
crypto key ?
0
 

Author Comment

by:exagger
ID: 22785720
Yes, this is the tool i was looking for. It says the IOS supports IPsec through NAT translation and VPN tunnel management although this doesnt seem to be what I need. I need to be able to configure a peer to peer vpn using :

'crypto isakmp'- to define keys and policies
and 'crypto ipsec'- to configure the transform set

I suppose this IOS doesnt support that?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22789788
Generally speaking, crypto stuff requires a "K9" (I think older is K8) version of the IOS.  By this I mean that there should be K9 as part of the version number.
You appear to have a K9 version, so yes it should support crypto command sets.

Make sure you are in config t when issuing the 'crypto' command..
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:exagger
ID: 22790181
I am in config mode but these are the only options available

ca            Certification authority
engine        Enter a crypto engine configurable menu
key           Long term key operations
pki           Public Key components
provisioning  Secure Device Provisioning
wui           Crypto HTTP configuration interfaces

yet the ios has k9 in it.

?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22790351
Looking into this more, but here is the product sheet for the 2800 series.  All 2800 series support native IPSec using synchronous keysets (AES, 3DES, etc. - password/secret key based).  For a PKI (certificate) based you may need to get an AIM card to support that.

http://www.cisco.com/en/US/prod/collateral/routers/ps5854/ps5882/product_data_sheet0900aecd8016fa68_ps5854_Products_Data_Sheet.html
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22790469
Is this offline while you configure it?  Could you try just dumping a dummy config in there and see if that works?  Here' s a good clean sample - take out the password stuff so you don't mess yourself up...  or at least just don't write mem so you can just bounce to clean it.
0
 

Author Comment

by:exagger
ID: 22790697
Its online.

I will try to dump a configuration outside working hours
0
 
LVL 23

Accepted Solution

by:
Mysidia earned 80 total points
ID: 22792808
The hardware may in general support it, but that particular software  image has only basic crypto and IPsec functions in software (at least without add-on cards for VPN capabilities).

An image with "IKE Security Protocol"  support, such as an "advanced security" image, an enterprise image, or (possibly) an advipservices K9 image for the platform
would provide more options.

Such as support for IKE key exchange (and therefore ISAKMP also).

It's a good  practice to look it up though and make sure a prospective image has the features you want, before  actually spending $$$ with the vendor to get the feature licenses.


0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question