RE: IPSEC / ISAKMP sample config

From: Simon Baxter (Simon.Baxter@xxxxxxxxxxxxxx)
Date: Thu Aug 10 2000 - 04:29:49 GMT-3

• Next message: dave hart: "Networkstudyzone.com , Interactive user groups"
• Previous message: Kenny Sallee: "Re: IPSEC / ISAKMP sample config"
• Maybe in reply to: Padhu@xxxxxxxxxxxx: "IPSEC / ISAKMP sample config"
• Next in thread: Alan Simpkins: "Re: IPSEC / ISAKMP sample config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I've just had all sorts of problems with reliability (in a prod network)
with the keyword 'any' being used in any of the ACLs. Cisco TAC strongly
recommends not using 'any' as does the docs. Also, make sure the addresses
match EXACTLY at either end.

ie

A-end
access-list 105 permit tcp 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 eq
telnet log

B-end
access-list 106 permit tcp 20.20.20.0 0.0.0.255 eq 23 10.10.10.0 0.0.0.255
eq gt 1023

Even if the address masks don't match (24 bits at one end, 16 at the other)
there will very likely be problems with reliability.

I still have to go through all the more difficult bits of IPSEC as I
basically cut and pasted most of the prod config.

-----Original Message-----
From: Kenny Sallee [mailto:mischa@worldshare.net]
Sent: Thursday, August 10, 2000 5:08 PM
To: Padhu@steinroe.com; ccielab@groupstudy.com
Subject: Re: IPSEC / ISAKMP sample config

First off your transform sets don't match:

crypto ipsec transform-set r5 ah-md5-hmac esp-des

crypto ipsec transform-set r6 esp-des esp-md5-hmac

These need to match for phase 2 to complete ( I think it is anyway maybe
phase 1). It looked like from the debug that phase 1 completed ( pre-shared
keys were exchanged and matched ) but phase 2 did not..

Also, I think your ACL's are wrong. You need to permit the return traffic
in both directions depending on the direction(s) you want to encrypt telnet.

So for R5:

access-list 105 permit tcp any any eq telnet log
access-list 105 permit tcp any eq 23 any gt 1023

and the same on the other router

Kenny

----- Original Message -----
From: <Padhu@steinroe.com>
To: <ccielab@groupstudy.com>
Sent: Wednesday, August 09, 2000 10:53 AM
Subject: IPSEC / ISAKMP sample config

> I am trying this and it isnt working for me ...My first time.. so
obviously
> i am overlooking something..Can any one take a look at the
> config and comment on it ? thanks.
>
> I have defined telnet to be the only traffic interesting for encryption..
>
> Cheers,Padhu
>
> <<ipsec.TXT>> <<ipsecdebug.TXT>>
>

• Next message: dave hart: "Networkstudyzone.com , Interactive user groups"
• Previous message: Kenny Sallee: "Re: IPSEC / ISAKMP sample config"
• Maybe in reply to: Padhu@xxxxxxxxxxxx: "IPSEC / ISAKMP sample config"
• Next in thread: Alan Simpkins: "Re: IPSEC / ISAKMP sample config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:23 GMT-3