From: Simon Baxter (Simon.Baxter@xxxxxxxxxxxxxx)
Date: Thu Sep 14 2000 - 00:52:27 GMT-3
Tried it as set up in the doccs - works fine. Quite cleverly tells you if
there's no matching ACL or transform set with the !incomplete flag....
-----Original Message-----
From: c_SapirJe@BAM.com [mailto:c_SapirJe@BAM.com]
Sent: Thursday, September 14, 2000 12:30 PM
To: Simon Baxter; kbaumgar@cisco.com; c_SapirJe@BAM.com
Cc: ccielab@groupstudy.com
Subject: RE: IPsec question
Yeah, that's what I was looking for - the example given is
crypto transform-set someset ah-md5-hmac esp-des
crypto map mymap 10 ipsec-manual
match address 102
set transform-set someset
set peer 10.0.0.5
set session-key inbound ah 256 98765432109876549876543210987654
set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc
set session-key inbound esp 256 cipher 0123456789012345
set session-key outbound esp 256 cipher abcdefabcdefabcd
I can't test this now - but with shorter keys and one algorithm I think this
would be easier to remember for test purposes. Maybe I can even paste it in
from the command reference <grin>.
-----Original Message-----
From: Simon Baxter [mailto:Simon.Baxter@au.logical.com]
Sent: Wednesday, September 13, 2000 11:24 PM
To: Kevin Baumgartner; c_SapirJe@BAM.com
Cc: ccielab@groupstudy.com
Subject: RE: IPsec question
What about :
ipsec-manual Indicates that IKE will not be used to establish the IPSec
security associations for protecting the traffic specified by this crypto
map entry.
I'm trying to get this working -
-----Original Message-----
From: Kevin Baumgartner [mailto:kbaumgar@cisco.com]
Sent: Thursday, September 14, 2000 12:13 PM
To: c_SapirJe@BAM.com
Cc: ccielab@groupstudy.com
Subject: Re: IPsec question
So how are you going to do the key exchange to setup the tunnel
if you don't use isakmp or some other key-exchange method.
That's the problem I have with the CCO document. It keeps isakmp
and IPSEC as seperate documents but you need both for IPSEC to work.
Kevin
>
> Thanks David, but I was looking for one with no isakmp commands. No
> particular reason....CCO just says these commands are optional - I'm
> wondering how this can be done.
> -Jeff
>
> -----Original Message-----
> From: David H. Brown [mailto:DHBrown@PipeLine.com]
> Sent: Wednesday, September 13, 2000 9:45 PM
> To: c_SapirJe@BAM.com; ccielab@groupstudy.com
> Subject: RE: IPsec question
>
>
> Here is a quick scenario I made up today (with configs). It is not
pretty,
> let me know if you have any questions. I will try to make a better
drawing
> and post it in the zip file.
>
> It's attached or: http://www.pipeline.com/~dhbrown/IPSec.zip
>
> David
> (RTP lab 9/18)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> c_SapirJe@BAM.com
> Sent: Wednesday, September 13, 2000 7:35 PM
> To: ccielab@groupstudy.com
> Subject: IPsec question
>
>
> In the docs it says you can configure IPsec without IKE, but there are no
> examples. I tried it and I get the message - warning - no key! by
> following the example in the IPsec configuration section (says it's a
> partial config). I'd like to see a complete but minimalist crypto config.
> Any takers?
> -Jeff
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:55 GMT-3