From: Stanford Wong - CNS (stanford@xxxxxxxxxxxxxx)
Date: Mon Jan 22 2001 - 15:41:40 GMT-3
Works fine last a long time...this group is awesome....
thanks you all for your valuable input/insight...
stanford
-----Original Message-----
From: Vikas Gupta [mailto:vicky_gupta1803@yahoo.com]
Sent: Monday, January 22, 2001 5:13 AM
To: Rob Webber; 'Stanford Wong - CNS'; 'Ccielab'
Subject: RE: Question about IPSEC and Tunnels
Here is the good eg.
http://www.cisco.com/warp/customer/707/33.shtml
(requires CCO ID )
Vikas
--- Rob Webber <rwebber@callisma.com> wrote:
> Here is what I have successfully done to run an
> IPSec connection through a
> tunnel:
>
> For running IPSec through a tunnel, first define the
> tunnel between the two
> physical interfaces on each router. Once the tunnel
> is working, define the
> IPSec peers between loopback interfaces. To do this
> you will need the crypto
> map mymap local-address loopback 0 command (to set
> the peers local IPSec
> peer address).
>
> You will need some routing so that each router knows
> of the others loopback
> address static routing, a routing protocol through
> the tunnel, etc.
>
> Enable the crypto map on both the physical interface
> and the tunnel
> interface.
>
> Best Regards, Rob.
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> Stanford Wong - CNS
> Sent: Monday, January 22, 2001 4:43 AM
> To: Ccielab
> Subject: Question about IPSEC and Tunnels
>
>
> I have a question regarding IPSEC.
>
> Besides using a packet sniffer, how could you tell
> that your packets are
> indeed being encrypted? I have looked at the Cisco
> CD under this link -
>
>
http://127.0.0.1:8080/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt
> 4/scipsec.htm#xtocid2141717
>
> but the commands listed only shows you how to see if
> your configurations
> have been accepted.
>
> What I have been doing is setting up a tunnel
> between two routers. When you
> apply a the crypto map to the interface, do you
> apply it to the Tunnel
> interface or to the Physical interface? My feeling
> is to apply it to the
> tunnel interface but what IP do you set the peer
> address? to the distant
> tunnel IP or to the physical interface. Getting
> late and I think I am
> confusing the hell out of myself.
>
> attached are the two router configs......
>
>
==================================================================
> rd#sho running-config
>
> crypto ipsec transform-set ccie esp-des esp-md5-hmac
> !
> crypto map test-ccie 10 ipsec-isakmp
> set peer 100.0.0.1
> set transform-set ccie
> match address 100
> !
> interface Loopback10
> ip address 10.4.4.1 255.255.255.0
> !
> interface Loopback20
> ip address 10.5.5.1 255.255.255.0
> !
> interface Tunnel0
> ip address 10.3.3.2 255.255.255.0
> tunnel source FastEthernet0
> tunnel destination 100.0.0.1
>
> interface FastEthernet0
> ip address 100.0.0.2 255.255.255.0
> speed auto
> crypto map test-ccie
> !
> router ospf 1
> log-adjacency-changes
> area 4 range 10.4.0.0 255.255.0.0
> area 5 range 10.5.5.0 255.255.255.0
> network 10.3.3.2 0.0.0.0 area 0
> network 10.4.4.1 0.0.0.0 area 4
> network 10.5.5.1 0.0.0.0 area 5
> !
> access-list 100 permit ip host 10.4.4.1 host
> 10.1.1.1
>
=======================================================
> rc#sho running-config
>
> crypto ipsec transform-set ccie esp-des esp-md5-hmac
> !
> !
> crypto map test-ccie 10 ipsec-isakmp
> set peer 100.0.0.2
> set transform-set ccie
> match address 100
> cns event-service server
> !
> interface Loopback10
> ip address 10.1.1.1 255.255.255.0
> no ip directed-broadcast
> !
> interface Loopback20
> ip address 10.2.2.1 255.255.255.0
> no ip directed-broadcast
> !
> interface Tunnel1
> ip address 10.3.3.1 255.255.255.0
> no ip directed-broadcast
> tunnel source FastEthernet0
> tunnel destination 100.0.0.2
> !
> interface FastEthernet0
> ip address 100.0.0.1 255.255.255.0
> no ip directed-broadcast
> full-duplex
> crypto map test-ccie
> !
> router ospf 1
> network 10.1.1.1 0.0.0.0 area 1
> network 10.2.2.1 0.0.0.0 area 2
> network 10.3.3.1 0.0.0.0 area 0
> !
> access-list 100 permit ip host 10.1.1.1 host
> 10.4.4.1
>
=====================================================
>
> Any constructive comments/enlightenment will be
> greatly appreciated....
>
> Stanford
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:39 GMT-3