From: Maljure, Sanjay (smaljure@xxxxxxxxxxxxxxxxx)
Date: Mon Mar 27 2000 - 13:02:47 GMT-3
Hi all,
I am trying to think aloud here on IPsec tunnels...
This is material that I stripped out from the CCO ......
I haven't had a chance on playing around with this much....
So I would really appreciate if u people can review my list and suggest
anything else that can be useful in getting this to work...
(This message is kind of long but will pray for ur patience..)
What is an IPsec SA?
An IKE security association is created between two peers wishing to
establish IPSec tunnel.
IKE facilitates secure IPSec policy negotiation and provides key management.
To successfully configure IKE and IPSec, u always use certificates or
pre-shared keys.
(I will restrict this to pre-shared keys for lab purposes)
Network Diagram
--e0--R1--s0------s0--R2--S1-------s0--R3--e0---
| |
Tu0 Tu0
| |
---------------------------------
Lets say R1 and R3 are the tunnel endpoints and IPsec peers.
R2 is just routing the encapsulated packets.
R1 - e0 - 10.1.1.1/24
R1 - s0 - 11.0.0.1/24
R1 - Tu0 - 15.0.0.1/24
R2 - s0 - 11.0.0.2/24
R2 - s1 - 12.0.0.1/24
R3 - s0 - 12.0.0.2/24
R3 - e0 - 13.1.1.1/24
R3 - Tu0 - 15.0.0.2/24
Pre-shared Keys:
This is the "quick and dirty" method to configure IKE.
To configure IKE, u need to
- Configure ISAKMP protection suite(s)
- Configure ISAKMP key
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#group 2
R1(config-isakmp)#hash md5
R1(config-isakmp)#lifetime 500
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#exit
R1(config)#crypto isakmp key ciscodisco address <s0 address of R3>
After this to configure IPSec, we need to:
- Create extended ACL
- Create IPSec transform
- Create crypto map
- Apply crypto map to interface
R1(config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 13.1.1.0 0.0.0.255
! 13.1.1.0/24 is the subnet behind R3 peer
R1(config)#crypto ipsec transform-set budweiser esp-rfc1829
R1(config)#crypto map budlite 10 ipsec-isakmp
R1(config-crypto-map)#set peer <so address of R3>
R1(config-crypto-map)#set session-key lifetime seconds 4000
R1(config-crypto-map)#set transform-set budweiser
R1(config-crypto-map)#match address 101
! Apply the crypto map to the egress interface
R1(config)#int e0
R1(config-if)#crypto map budlite
Let us assume here, R1's routing table says
13.1.1.0/24 is available thro int Tu 0
and Tu 0 has a "tunnel source" of 11.0.0.1
and a "tunnel destination" of 12.0.0.2
Also let us say that R2 is not aware of 10.1.1.0/24 or 13.1.1.0/24 which are
the protected networks
behind the VPN tunnel endpoints...
Assuming there is a logical mirror image configuration at R3 end, what are
ur thoughts about this config
and very importantly, when we specify the peer, what address of the peer do
we specify? Is it the <s0 address of R3> as I have mentioned in the config
or could it be the Tu0 address of R3?
Also can u point any other gotchas in getting this to work...any useful show
and debug commands..
Thanks for ur time,
Sanjay
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:07 GMT-3