From: Alan Simpkins (alan_simpkins@xxxxxxxxx)
Date: Thu Aug 10 2000 - 14:41:24 GMT-3
Yes but agin, you can configure more than one
transform set.
--- Kenny Sallee <mischa@worldshare.net> wrote:
> I don't think the peers will negotiate the transform
> set. If that were
> true, IPSec would be easier to hack. From my
> experience, if the transform
> sets don't match, phase 2 does not complete. As I
> understand it, if the
> IPSec endpoints can't determine which algorithm's to
> use (esp, ah, des,
> 3des) then they won't talk....Also, if you read the
> output below from CCO:
>
> . The transform set defined in the
> > crypto map entry will be used in the IPSec
> security
> > association negotiation to protect the data flows
> > specified by that crypto map entry's access list.
>
> That itself says the crypto map will only use the
> specified transform
> set....That's how I read it anyway..
>
> Kenny
>
>
> ----- Original Message -----
> From: "Alan Simpkins" <alan_simpkins@yahoo.com>
> To: "Kenny Sallee" <mischa@worldshare.net>;
> <Padhu@steinroe.com>;
> <ccielab@groupstudy.com>
> Sent: Thursday, August 10, 2000 7:52 AM
> Subject: Re: IPSEC / ISAKMP sample config
>
>
> > I may be wrong here but as I recall, the peers
> need to
> > be able to negotiate at least 1 transform set, I
> do
> > not think all of them have to match, but I believe
> at
> > least must. Some peers may support transform set
> > others do not. see the follpwing blurb from CCO
> docs:
> >
> > A transform set represents a certain combination
> of
> > security protocols and algorithms. During the
> IPSec
> > security association negotiation, the peers agree
> to
> > use a particular transform set for protecting a
> > particular data flow.
> >
> > You can specify multiple transform sets, and then
> > specify one or more of these transform sets in a
> > crypto map entry. The transform set defined in the
> > crypto map entry will be used in the IPSec
> security
> > association negotiation to protect the data flows
> > specified by that crypto map entry's access list.
> >
> > During IPSec security association negotiations
> with
> > IKE, the peers search for a transform set that is
> the
> > same at both peers. When such a transform set is
> > found, it is selected and will be applied to the
> > protected traffic as part of both peers' IPSec
> > security associations
> >
> >
> >
> >
> >
> >
> >
> > --- Kenny Sallee <mischa@worldshare.net> wrote:
> > > First off your transform sets don't match:
> > >
> > >
> > > crypto ipsec transform-set r5 ah-md5-hmac
> esp-des
> > >
> > > crypto ipsec transform-set r6 esp-des
> esp-md5-hmac
> > >
> > > These need to match for phase 2 to complete ( I
> > > think it is anyway maybe
> > > phase 1). It looked like from the debug that
> phase
> > > 1 completed ( pre-shared
> > > keys were exchanged and matched ) but phase 2
> did
> > > not..
> > >
> > > Also, I think your ACL's are wrong. You need to
> > > permit the return traffic
> > > in both directions depending on the direction(s)
> you
> > > want to encrypt telnet.
> > >
> > > So for R5:
> > >
> > > access-list 105 permit tcp any any eq telnet log
> > > access-list 105 permit tcp any eq 23 any gt 1023
> > >
> > > and the same on the other router
> > >
> > > Kenny
> > >
> > >
> > > ----- Original Message -----
> > > From: <Padhu@steinroe.com>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Wednesday, August 09, 2000 10:53 AM
> > > Subject: IPSEC / ISAKMP sample config
> > >
> > >
> > > > I am trying this and it isnt working for me
> ...My
> > > first time.. so
> > > obviously
> > > > i am overlooking something..Can any one take a
> > > look at the
> > > > config and comment on it ? thanks.
> > > >
> > > > I have defined telnet to be the only traffic
> > > interesting for encryption..
> > > >
> > > > Cheers,Padhu
> > > >
> > > > <<ipsec.TXT>> <<ipsecdebug.TXT>>
> > > >
> > >
> > >
> >
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:23 GMT-3