From: Brad Hedlund (BHedlund@xxxxxxxxxxxxxxxxxxx)
Date: Sun Jan 09 2000 - 18:26:08 GMT-3
Naushad,
Great observation!! I was having difficulty getting an encrypted tunnel
working between a 2500 and 3600, and I think your right. I need the 'crypto
map' on the tunnel and physical interface.
It was working between two 3600's (the config I sent out earlier) without it
being on both, but I'll chalk that up as being a difference in software. In
the CCIE lab test Im pretty sure the VPN questions would involve a 2500
seeing that there is only one 3600 per rack.
I certainly hope that we are studying the right thing ... IPSEC/ISAKMP.
I think we are.
I dont know how else you would do VPN between two Cisco routers. ??!!
However, instead of IPSec there is also CISCO proprietary enctyption.
Maybe we should try to get that to work too.
-Brad
>
> Secondly, while reading the links, (I lost the exact link)
> somewhere the
> author has made a note regarding applying Crypto Map commands to both
> Physical and Tunnel Interfaces. I noticed that your Crypto
> Map commands are
> only on Tunnel Interfaces. I have applied to both interfaces
> in my config.
> That also works well. I was able to see encapsulate and
> decapsulate counters
> clocking up as I pinged through the IP cloud.
>
> Good job Brad...Now my worries of getting those 8 points have somewhat
> calmed. I hope it's what we are working on and not anything
> drastically
> different.
>
> Thanks for all your help.
>
> Naushad
>
>
>
>
> -----Original Message-----
> From: Brad Hedlund [mailto:BHedlund@LifeTimeFitness.com]
> Sent: Saturday, January 08, 2000 4:28 PM
> To: 'Naushad Prasla'
> Cc: 'ccielab@groupstudy.com'
> Subject: RE: Working VPN config
>
>
>
> As I suspected, Apparently I DO need "Crypto ISAKMP Policy 1". When I
> removed it from my configuration it failed to work! I
> cleared all the SA's
> and reloaded the routers just to make sure.
>
> When it wasnt working I checked IPsec to see how it was doing
> and found that
> it wasnt able to encapsulate the packets due to errors:
>
> R9#show cryp ipsec sa
>
> interface: Ethernet0/0
>
> interface: Tunnel0
> Crypto map tag: summer, local addr. 64.100.100.9
>
> local ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
> remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
> current_peer: 63.100.100.4
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
> #send errors 10, #recv errors 0
>
> local crypto endpt.: 64.100.100.9, remote crypto endpt.:
> 63.100.100.4
> path mtu 1514, media mtu 1514
> current outbound spi: 0
>
> Notice the 10 send errors from 2 ping tries.
>
>
> Naushad, Im curious how you got yours working without an ISAKMP
> protection-suite.
> Are you sure the packets were actually getting encrypted?
> 'show crypto ipsec sa'
>
> Can I/we see your complete configurations?
>
> Im just as confused as you are with all this Crypto Lingo,
> but Im pretty
> sure IPSec needs and ISAKMP protection-suite configured. I
> could be wrong
> though.
>
>
> -Brad
>
>
>
> >
> > Brad,
> >
> > Do you must have "Crypto ISAKMP Policy 1". I have been able
> > to make it work
> > without this policy. Refer to the URL below for an example. I
> > have tried it
> > and it works.
> >
> >
> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
> > 0/12cgcr/secur
> > _c/scprt4/scipsec.htm#xtocid2141731
> >
> >
> > This stuff is extremely confusing. Specially various
> > encrpytion methodoloy
> > and its application.
> >
> > Naushad
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> > Brad Hedlund
> > Sent: Thursday, January 06, 2000 3:32 PM
> > To: 'ccielab@groupstudy.com'
> > Subject: Working VPN config
> >
> >
> >
> > I was able to put together a working VPN configuration as follows:
> >
> > ------e0 R4 s0 --------- Internet ---------
> > e0/0 R9 e1/0 ----
> >
> > <---------Encrypted Tunnel---> (IPsec)
> >
> > I am running EIGRP over the tunnel making the "internet" look
> > like a leased
> > line.
> > Given that I may be able to do dial-backup over the VPN
> with floating
> > statics.
> > The URL I mailed out int the previous email doesnt use a
> > tunnel interface, I
> > just threw that in.
> > I will just show the configs. If I add all the show commands
> > that proves it
> > works this email might be too long for the list to send.
> >
> > R4#wr t
> > Building configuration...
> >
> > Current configuration:
> > !
> > version 11.3
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname R4
> > !
> > !
> > no ip domain-lookup
> > !
> > !
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > group 2
> > lifetime 300
> > crypto isakmp key MyFirstVPN address 200.100.100.9
> > !
> > !
> > crypto ipsec transform-set VPNtoR9 ah-md5-hmac esp-des
> > !
> > !
> > crypto map winter 10 ipsec-isakmp
> > set peer 200.100.100.9
> > set security-association lifetime seconds 600
> > set transform-set VPNtoR9
> > set pfs group2
> > match address 101
> > !
> > !
> > !
> > interface Loopback99
> > ip address 4.4.4.4 255.255.255.255
> > !
> > interface Tunnel0
> > ip address 10.10.49.4 255.255.255.0
> > tunnel source 200.200.200.4
> > tunnel destination 200.100.100.9
> > crypto map winter
> > !
> > interface BRI0/0
> > no ip address
> > shutdown
> > !
> > interface Ethernet0/0
> > ip address 10.10.4.1 255.255.255.0
> > no keepalive
> > !
> > interface Serial0/0
> > ip address 200.200.200.4 255.255.255.0
> > encapsulation frame-relay
> > ip ospf network point-to-multipoint
> > no ip mroute-cache
> > no fair-queue
> > !
> > router eigrp 100
> > network 10.0.0.0
> > !
> > router ospf 1
> > network 200.200.200.0 0.0.0.255 area 0.0.1.244
> > !
> > ip classless
> > !
> > logging buffered 4096 debugging
> > no logging console
> > access-list 101 permit ip 10.10.0.0 0.0.255.255 10.10.0.0
> 0.0.255.255
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > line aux 0
> > line vty 0 4
> > login
> > !
> > end
> >
> > R4#
> >
> > R9#sh ru
> > Building configuration...
> >
> > Current configuration:
> > !
> > version 11.3
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname R9
> > !
> > !
> > ip subnet-zero
> > no ip domain-lookup
> > !
> > !
> > voice-port 2/0/0
> > !
> > voice-port 2/0/1
> > !
> > voice-port 2/1/0
> > !
> > voice-port 2/1/1
> > !
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > group 2
> > lifetime 300
> > crypto isakmp key MyFirstVPN address 200.200.200.4
> > !
> > !
> > crypto ipsec transform-set VPNtoR4 ah-md5-hmac esp-des
> > !
> > !
> > crypto map summer 10 ipsec-isakmp
> > set peer 200.200.200.4
> > set security-association lifetime seconds 600
> > set transform-set VPNtoR4
> > set pfs group2
> > match address 101
> > !
> > !
> > !
> > interface Loopback99
> > ip address 9.9.9.9 255.255.255.255
> > no ip directed-broadcast
> > !
> > interface Tunnel0
> > ip address 10.10.49.9 255.255.255.0
> > tunnel source 200.100.100.9
> > tunnel destination 200.200.200.4
> > crypto map summer
> > !
> > interface Ethernet0/0
> > ip address 200.100.100.9 255.255.255.0
> > no ip directed-broadcast
> > no keepalive
> > !
> > interface Serial0/0
> > no ip address
> > no ip directed-broadcast
> > no ip mroute-cache
> > shutdown
> > no fair-queue
> > !
> > interface BRI1/0
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Ethernet1/0
> > ip address 10.10.9.1 255.255.255.0
> > no ip directed-broadcast
> > no keepalive
> > !
> > interface BRI1/1
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > router eigrp 100
> > network 10.0.0.0
> > !
> > router ospf 1
> > network 200.100.100.0 0.0.0.255 area 0
> > !
> > ip classless
> > !
> > no logging console
> > access-list 101 permit ip 10.10.0.0 0.0.255.255 10.10.0.0
> 0.0.255.255
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > transport input none
> > line aux 0
> > line vty 0 4
> > no login
> > !
> > end
> >
> > R9#
> >
> > -Brad
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:22:43 GMT-3