From: Stanford Wong - CNS (stanford@xxxxxxxxxxxxxx)
Date: Mon Jan 22 2001 - 06:42:43 GMT-3
I have a question regarding IPSEC.
Besides using a packet sniffer, how could you tell that your packets are
indeed being encrypted? I have looked at the Cisco CD under this link -
http://127.0.0.1:8080/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt
4/scipsec.htm#xtocid2141717
but the commands listed only shows you how to see if your configurations
have been accepted.
What I have been doing is setting up a tunnel between two routers. When you
apply a the crypto map to the interface, do you apply it to the Tunnel
interface or to the Physical interface? My feeling is to apply it to the
tunnel interface but what IP do you set the peer address? to the distant
tunnel IP or to the physical interface. Getting late and I think I am
confusing the hell out of myself.
attached are the two router configs......
==================================================================
rd#sho running-config
crypto ipsec transform-set ccie esp-des esp-md5-hmac
!
crypto map test-ccie 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set ccie
match address 100
!
interface Loopback10
ip address 10.4.4.1 255.255.255.0
!
interface Loopback20
ip address 10.5.5.1 255.255.255.0
!
interface Tunnel0
ip address 10.3.3.2 255.255.255.0
tunnel source FastEthernet0
tunnel destination 100.0.0.1
interface FastEthernet0
ip address 100.0.0.2 255.255.255.0
speed auto
crypto map test-ccie
!
router ospf 1
log-adjacency-changes
area 4 range 10.4.0.0 255.255.0.0
area 5 range 10.5.5.0 255.255.255.0
network 10.3.3.2 0.0.0.0 area 0
network 10.4.4.1 0.0.0.0 area 4
network 10.5.5.1 0.0.0.0 area 5
!
access-list 100 permit ip host 10.4.4.1 host 10.1.1.1
=======================================================
rc#sho running-config
crypto ipsec transform-set ccie esp-des esp-md5-hmac
!
!
crypto map test-ccie 10 ipsec-isakmp
set peer 100.0.0.2
set transform-set ccie
match address 100
cns event-service server
!
interface Loopback10
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
!
interface Loopback20
ip address 10.2.2.1 255.255.255.0
no ip directed-broadcast
!
interface Tunnel1
ip address 10.3.3.1 255.255.255.0
no ip directed-broadcast
tunnel source FastEthernet0
tunnel destination 100.0.0.2
!
interface FastEthernet0
ip address 100.0.0.1 255.255.255.0
no ip directed-broadcast
full-duplex
crypto map test-ccie
!
router ospf 1
network 10.1.1.1 0.0.0.0 area 1
network 10.2.2.1 0.0.0.0 area 2
network 10.3.3.1 0.0.0.0 area 0
!
access-list 100 permit ip host 10.1.1.1 host 10.4.4.1
=====================================================
Any constructive comments/enlightenment will be greatly appreciated....
Stanford
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:38 GMT-3