From: damien (damien@xxxxxxxxxxx)
Date: Sat Sep 16 2000 - 12:21:43 GMT-3
Find below and example of IPsec Manual configuration of 2 Router peers:
version 11.3
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname router-1603
!
enable secret (*deleted*)
enable password cisco2
!
ip host r1603 172.16.24.1
ip host nt 172.16.10.19
ip host other 172.16.24.1
ip host peer 10.16.137.1
!
! not using IKE - manual key config
no crypto isakmp enable
!
! mulitple transform proposals configured - only one used
crypto ipsec transform-set auth-md5 ah-md5-hmac
crypto ipsec transform-set auth-sha ah-sha-hmac
crypto ipsec transform-set encrypt-des esp-des
!
! crypto map set up to do des encryption only on all traffic that matches
! the first permit entry of access-list 120
! DES requires 8-byte keys; any additional bytes are ignored
! an authenticator key value is specified to get around a parser bug
crypto map testcase 8 ipsec-manual
set peer 10.16.137.1
set session-key inbound esp 1001 cipher cab22222222222cab22222222222
authenticator 01
set session-key outbound esp 1000 cipher beef1111111111beef1111111111
authenticator
01
set transform-set encrypt-des
match address 120
!
interface Loopback0
ip address 192.168.45.1 255.255.255.0
!
interface Ethernet0
ip address 192.168.29.1 255.255.255.0
!
! Apply crypto map to interface
interface Serial0
ip address 10.16.137.2 255.255.255.0
clockrate 148000
crypto map testcase
!
interface BRI0
no ip address
encapsulation ppp
no ip route-cache
no ip mroute-cache
shutdown
!
router eigrp 100
network 10.0.0.0
network 192.168.29.0
network 192.168.45.0
!
no ip classless
access-list 120 permit tcp host 192.168.29.212 host 172.16.10.19
alias exec clsa clear crypto sa
alias exec clike clear crypto isakmp
alias exec dipsec debug crypto ipsec
alias exec dike debug crypto isakmp
!
line con 0
exec-timeout 0 0
line vty 0 4
password cisco
login
!
end
Scenarios 3-7
version 11.3
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname router-1601
!
boot system flash
enable secret 5 $1$WFll$1.K8jQc9LAdGTe91fy6zy0
enable password cisco2
!
ip host r1601 192.168.29.1
ip host r1603 172.16.24.1
ip host w95 192.168.29.212
ip host other 192.168.29.1
ip host peer 10.16.137.2
!
! NOT using IKE, doing a manual key
no crypto isakmp enable
!
! multiple transform proposals set up, but only used one
crypto ipsec transform-set auth-md5 ah-md5-hmac
crypto ipsec transform-set auth-sha ah-sha-hmac
crypto ipsec transform-set encrypt-des esp-des
!
! this crypto map is set up to do only encryption using des for tcp traffic
! matching the first permit entry of access-list 120
! DES requires 8-byte keys; any additional bytes are ignored
! the authenticator key value is specified to get around a parser bug
crypto map testcase 8 ipsec-manual
set peer 10.16.137.2
set session-key inbound esp 1000 cipher beef1111111111beef1111111111
authenticator 01
set session-key outbound esp 1001 cipher cab22222222222cab22222222222
authenticator
01
set transform-set encrypt-des
match address 120
!
!
interface Loopback0
ip address 172.16.24.1 255.255.255.0
!
interface Ethernet0
ip address 172.16.10.1 255.255.255.0
!
! Crypto map applied to interface
interface Serial0
ip address 10.16.137.1 255.255.255.0
crypto map testcase
!
interface BRI0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
----- Original Message -----
From: <c_SapirJe@BAM.com>
To: <ccielab@groupstudy.com>
Sent: Wednesday, September 13, 2000 11:34 PM
Subject: IPsec question
> In the docs it says you can configure IPsec without IKE, but there are no
> examples. I tried it and I get the message - warning - no key! by
> following the example in the IPsec configuration section (says it's a
> partial config). I'd like to see a complete but minimalist crypto config.
> Any takers?
> -Jeff
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:57 GMT-3