Re: IPSEC / ISAKMP sample config

From: Alan Simpkins (alan_simpkins@xxxxxxxxx)
Date: Thu Aug 10 2000 - 11:52:26 GMT-3

• Next message: Sam Munzani: "Re: BGP routing loop?"
• Previous message: Vijaykrishna: "Re: ospf on demand-circuit"
• Maybe in reply to: Padhu@xxxxxxxxxxxx: "IPSEC / ISAKMP sample config"
• Next in thread: Kenny Sallee: "Re: IPSEC / ISAKMP sample config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I may be wrong here but as I recall, the peers need to
be able to negotiate at least 1 transform set, I do
not think all of them have to match, but I believe at
least must. Some peers may support transform set
others do not. see the follpwing blurb from CCO docs:

A transform set represents a certain combination of
security protocols and algorithms. During the IPSec
security association negotiation, the peers agree to
use a particular transform set for protecting a
particular data flow.

You can specify multiple transform sets, and then
specify one or more of these transform sets in a
crypto map entry. The transform set defined in the
crypto map entry will be used in the IPSec security
association negotiation to protect the data flows
specified by that crypto map entry's access list.

During IPSec security association negotiations with
IKE, the peers search for a transform set that is the
same at both peers. When such a transform set is
found, it is selected and will be applied to the
protected traffic as part of both peers' IPSec
security associations

--- Kenny Sallee <mischa@worldshare.net> wrote:
> First off your transform sets don't match:
>
>
> crypto ipsec transform-set r5 ah-md5-hmac esp-des
>
> crypto ipsec transform-set r6 esp-des esp-md5-hmac
>
> These need to match for phase 2 to complete ( I
> think it is anyway maybe
> phase 1). It looked like from the debug that phase
> 1 completed ( pre-shared
> keys were exchanged and matched ) but phase 2 did
> not..
>
> Also, I think your ACL's are wrong. You need to
> permit the return traffic
> in both directions depending on the direction(s) you
> want to encrypt telnet.
>
> So for R5:
>
> access-list 105 permit tcp any any eq telnet log
> access-list 105 permit tcp any eq 23 any gt 1023
>
> and the same on the other router
>
> Kenny
>
>
> ----- Original Message -----
> From: <Padhu@steinroe.com>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, August 09, 2000 10:53 AM
> Subject: IPSEC / ISAKMP sample config
>
>
> > I am trying this and it isnt working for me ...My
> first time.. so
> obviously
> > i am overlooking something..Can any one take a
> look at the
> > config and comment on it ? thanks.
> >
> > I have defined telnet to be the only traffic
> interesting for encryption..
> >
> > Cheers,Padhu
> >
> > <<ipsec.TXT>> <<ipsecdebug.TXT>>
> >
>
>

• Next message: Sam Munzani: "Re: BGP routing loop?"
• Previous message: Vijaykrishna: "Re: ospf on demand-circuit"
• Maybe in reply to: Padhu@xxxxxxxxxxxx: "IPSEC / ISAKMP sample config"
• Next in thread: Kenny Sallee: "Re: IPSEC / ISAKMP sample config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:23 GMT-3