From: Rob Webber (rwebber@xxxxxxxxxxxx)
Date: Mon Jan 22 2001 - 11:45:57 GMT-3
Here is what I have successfully done to run an IPSec connection through a
tunnel:
For running IPSec through a tunnel, first define the tunnel between the two
physical interfaces on each router. Once the tunnel is working, define the
IPSec peers between loopback interfaces. To do this you will need the crypto
map mymap local-address loopback 0 command (to set the peers local IPSec
peer address).
You will need some routing so that each router knows of the others loopback
address static routing, a routing protocol through the tunnel, etc.
Enable the crypto map on both the physical interface and the tunnel
interface.
Best Regards, Rob.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Stanford Wong - CNS
Sent: Monday, January 22, 2001 4:43 AM
To: Ccielab
Subject: Question about IPSEC and Tunnels
I have a question regarding IPSEC.
Besides using a packet sniffer, how could you tell that your packets are
indeed being encrypted? I have looked at the Cisco CD under this link -
http://127.0.0.1:8080/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt
4/scipsec.htm#xtocid2141717
but the commands listed only shows you how to see if your configurations
have been accepted.
What I have been doing is setting up a tunnel between two routers. When you
apply a the crypto map to the interface, do you apply it to the Tunnel
interface or to the Physical interface? My feeling is to apply it to the
tunnel interface but what IP do you set the peer address? to the distant
tunnel IP or to the physical interface. Getting late and I think I am
confusing the hell out of myself.
attached are the two router configs......
==================================================================
rd#sho running-config
crypto ipsec transform-set ccie esp-des esp-md5-hmac
!
crypto map test-ccie 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set ccie
match address 100
!
interface Loopback10
ip address 10.4.4.1 255.255.255.0
!
interface Loopback20
ip address 10.5.5.1 255.255.255.0
!
interface Tunnel0
ip address 10.3.3.2 255.255.255.0
tunnel source FastEthernet0
tunnel destination 100.0.0.1
interface FastEthernet0
ip address 100.0.0.2 255.255.255.0
speed auto
crypto map test-ccie
!
router ospf 1
log-adjacency-changes
area 4 range 10.4.0.0 255.255.0.0
area 5 range 10.5.5.0 255.255.255.0
network 10.3.3.2 0.0.0.0 area 0
network 10.4.4.1 0.0.0.0 area 4
network 10.5.5.1 0.0.0.0 area 5
!
access-list 100 permit ip host 10.4.4.1 host 10.1.1.1
=======================================================
rc#sho running-config
crypto ipsec transform-set ccie esp-des esp-md5-hmac
!
!
crypto map test-ccie 10 ipsec-isakmp
set peer 100.0.0.2
set transform-set ccie
match address 100
cns event-service server
!
interface Loopback10
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
!
interface Loopback20
ip address 10.2.2.1 255.255.255.0
no ip directed-broadcast
!
interface Tunnel1
ip address 10.3.3.1 255.255.255.0
no ip directed-broadcast
tunnel source FastEthernet0
tunnel destination 100.0.0.2
!
interface FastEthernet0
ip address 100.0.0.1 255.255.255.0
no ip directed-broadcast
full-duplex
crypto map test-ccie
!
router ospf 1
network 10.1.1.1 0.0.0.0 area 1
network 10.2.2.1 0.0.0.0 area 2
network 10.3.3.1 0.0.0.0 area 0
!
access-list 100 permit ip host 10.1.1.1 host 10.4.4.1
=====================================================
Any constructive comments/enlightenment will be greatly appreciated....
Stanford
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:39 GMT-3