RE: ipsec

From: Rob Webber (rwebber@xxxxxxxxxxxx)
Date: Fri Dec 29 2000 - 14:59:47 GMT-3

• Next message: Marc Russell: "RE: Got Labs?"
• Previous message: Chuck Larrieu: "RE: IGRP host routes."
• Maybe in reply to: Bill Dellamar: "ipsec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Bill - Did you ever get this working? I finally got it to work. I've
included my configs and a "show crypto ipsec sa" below. I trimmed my
transform set down to just DES for simplicity. Another gotcha I found was
the key must be 8 bytes long, though the router will let you enter one even
if its 2 bytes! If you ever got this working I'd be interested to see your
config. My network is:

R8-----hdlc-----R6-----FR Cloud-----R1
  s0 s1 s0 s0.2

The IPSec tunnel is going from s0 on R8 to s0.2 on R1 (though I used the
loopback address as the peer address). My routers are running 12.0(14).

Rob.

r1# show run
Building configuration...

Current configuration:
!
version 12.0
!
hostname r1
!
crypto ipsec transform-set myset esp-des
!
!
crypto map mymap local-address Loopback1
crypto map mymap 10 ipsec-manual
 set peer 10.8.1.1
 set session-key inbound esp 1000 cipher 1234567812345678
 set session-key outbound esp 1000 cipher 1234567812345678
 set transform-set myset
 match address 100
!
!
interface Loopback1
 ip address 10.1.2.1 255.255.255.0
 no ip directed-broadcast
!
interface Serial0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 logging event subif-link-status
 logging event dlci-status-change
 no fair-queue
!
interface Serial0.2 multipoint
 ip address 10.1.10.1 255.255.255.0
 no ip directed-broadcast
 ip ospf network point-to-multipoint
 ipx network AAA
 frame-relay interface-dlci 100
 frame-relay interface-dlci 101
 crypto map mymap
!
router ospf 1
 area 51 virtual-link 200.200.200.1
 network 10.1.1.0 0.0.0.255 area 0
 network 10.1.2.0 0.0.0.255 area 0
 network 10.1.10.0 0.0.0.255 area 51
 network 10.1.20.0 0.0.0.255 area 0
 network 172.32.10.0 0.0.0.255 area 0
!
ip classless
!
access-list 100 permit ip 10.1.2.0 0.0.0.255 10.8.1.0 0.0.0.255
!
!
!
end

r1#sho cr ipsec sa

interface: Serial0.2
    Crypto map tag: mymap, local addr. 10.1.2.1

   local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.8.1.0/255.255.255.0/0/0)
   current_peer: 10.8.1.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 0
    #send errors 26, #recv errors 0

     local crypto endpt.: 10.1.2.1, remote crypto endpt.: 10.8.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 3E8

     inbound esp sas:
      spi: 0x3E8(1000)
        transform: esp-des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 18, crypto map: mymap
        no sa timing
        IV size: 8 bytes
        replay detection support: N

     inbound ah sas:

     outbound esp sas:
      spi: 0x3E8(1000)
        transform: esp-des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 17, crypto map: mymap
        no sa timing
        IV size: 8 bytes
        replay detection support: N

     outbound ah sas:

r1#
r8#show run
Building configuration...

Current configuration:
!
hostname r8
!
crypto ipsec transform-set myset esp-des
!
!
crypto map mymap local-address Loopback0
crypto map mymap 10 ipsec-manual
 set peer 10.1.2.1
 set session-key inbound esp 1000 cipher 1234567812345678
 set session-key outbound esp 1000 cipher 1234567812345678
 set transform-set myset
 match address 100
clock timezone EST -5
clock summer-time EDT recurring
!
!
!
interface Loopback0
 ip address 10.8.1.1 255.255.255.0
 no ip directed-broadcast
 ipx network 8888
!
interface Serial0
 ip address 10.1.11.8 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no ip mroute-cache
 clockrate 2000000
 crypto map mymap
 bridge-group 1
!
router ospf 1
 passive-interface Ethernet0
 network 10.1.11.0 0.0.0.255 area 10
 network 10.8.1.0 0.0.0.255 area 10
 network 24.147.24.0 0.0.7.255 area 10
!
access-list 100 permit ip 10.8.1.0 0.0.0.255 10.1.2.0 0.0.0.255
!
!
end

r8#sho cr ipsec sa

interface: Serial0
    Crypto map tag: mymap, local addr. 10.8.1.1

   local ident (addr/mask/prot/port): (10.8.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
   current_peer: 10.1.2.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.8.1.1, remote crypto endpt.: 10.1.2.1
     path mtu 1500, media mtu 1500
     current outbound spi: 3E8

     inbound esp sas:
      spi: 0x3E8(1000)
        transform: esp-des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 17, crypto map: mymap
        no sa timing
        IV size: 8 bytes
        replay detection support: N

     inbound ah sas:

     outbound esp sas:
      spi: 0x3E8(1000)
        transform: esp-des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 16, crypto map: mymap
        no sa timing
        IV size: 8 bytes
        replay detection support: N

     outbound ah sas:

r8#sho cr ipsec tr
Transform set myset: { esp-des }
   will negotiate = { Tunnel, },

r8#
[Resuming connection 1 to r1 ... ]

r1#
r8#ping
Protocol [ip]:
Target IP address: 10.1.2.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.8.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/76/80 ms
r8#sho cr ipsec sa

interface: Serial0
    Crypto map tag: mymap, local addr. 10.8.1.1

   local ident (addr/mask/prot/port): (10.8.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
   current_peer: 10.1.2.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest 0
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.8.1.1, remote crypto endpt.: 10.1.2.1
     path mtu 1500, media mtu 1500
     current outbound spi: 3E8

     inbound esp sas:
      spi: 0x3E8(1000)
        transform: esp-des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 17, crypto map: mymap
        no sa timing
        IV size: 8 bytes
        replay detection support: N

     inbound ah sas:

     outbound esp sas:
      spi: 0x3E8(1000)
        transform: esp-des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 16, crypto map: mymap
        no sa timing
        IV size: 8 bytes
        replay detection support: N

     outbound ah sas:

r8#
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Bill Dellamar
Sent: Sunday, December 17, 2000 1:17 PM
To: ccielab@groupstudy.com
Subject: ipsec

Does anybody have a working config using either CET or
ipsec-manual and what version of IOS.

I am able to get ipsec-isakmp working on 12.1(1)T,
however I wasn't able to get CET or ipsec-manual
working.

crypto map router_A 10 ipsec-manual
  set peer
  set transform-set
  etc...

Apperently CET is end-of-life but is supported in IOS
version 12.

Thanks,
Bill

• Next message: Marc Russell: "RE: Got Labs?"
• Previous message: Chuck Larrieu: "RE: IGRP host routes."
• Maybe in reply to: Bill Dellamar: "ipsec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:26:13 GMT-3