From: Thierry MARTIN (tmartin@xxxxxxx)
Date: Wed Jan 24 2001 - 13:27:40 GMT-3
Hi all,
my personnal lab run IPSEC with manual key exchange.
I use RSA encrypt
R3----lan1----R2----lan2----R1----FR----R8----lan3
Traffic source : lan1 R2
ipsec only between R2 and R8
Traffic destination : lan3 R8
I use loopback for peering.
logical ==> lan1--R2--VPN IPSEC--R8--lan3
Between lan1 and lan3, 2 hops count.
R8 : ios 12.0.8
R2 : ios 12.1.5T
-------------------------------------------------------------------------------
-----------------------------------------------------------
R2#sh cryp isa sa
dst src state conn-id slot
138.5.8.8 138.5.2.2 QM_IDLE 1 0
R2#
-------------------------------------------------------------------------------
-----------------------------------------------------------
R2#sh crypto engine connections active
ID Interface IP-Address State Algorithm
Encrypt Decrypt
2000 Ethernet0/0 138.5.12.2 set HMAC_MD5
0 20
2001 Ethernet0/0 138.5.12.2 set HMAC_MD5
27 0
2002 Ethernet0/0 138.5.12.2 set HMAC_SHA+DES_56_CB 0
20
2003 Ethernet0/0 138.5.12.2 set HMAC_SHA+DES_56_CB 27
0
R2#
-------------------------------------------------------------------------------
-----------------------------------------------------------
Example for Router R2
--------------------il---------------
hostname R2
!
crypto isakmp policy 100
hash md5
authentication rsa-encr
group 2
!
crypto ipsec transform-set CryptoR8 ah-md5-hmac esp-des esp-sha-hmac
!
crypto key pubkey-chain rsa
addressed-key 138.5.8.8 signature
address 138.5.8.8
key-string
12345678 91234567 89123456 7809
quit
!
crypto map R8 local-address Loopback0
crypto map R8 10 ipsec-isakmp
set peer 138.5.8.8
set transform-set CryptoR8
match address 100
!
interface Loopback0
ip address 138.5.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 138.5.12.2 255.255.254.0
half-duplex
crypto map R8
!
access-list 100 permit ip 138.5.14.0 0.0.0.63 138.5.16.0 0.0.0.255
!
-------------------------------------------------------------------------------
-----------------------------------------------------------
R2#show crypto ipsec sa
interface: Ethernet0/0
Crypto map tag: R8, local addr. 138.5.2.2
local ident (addr/mask/prot/port): (138.5.14.0/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (138.5.16.0/255.255.255.0/0/0)
current_peer: 138.5.8.8
PERMIT, flags={origin_is_acl,}
#pkts encaps: 27, #pkts encrypt: 27, #pkts digest 27
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 9, #recv errors 0
local crypto endpt.: 138.5.2.2, remote crypto endpt.: 138.5.8.8
path mtu 1500, media mtu 1500
current outbound spi: 105F00FC
inbound esp sas:
spi: 0x7510E4A(122752586)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2002, flow_id: 1, crypto map: R8
sa timing: remaining key lifetime (k/sec): (4607994/3341)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
spi: 0x405464BA(1079272634)
transform: ah-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: R8
sa timing: remaining key lifetime (k/sec): (4607994/3341)
replay detection support: Y
inbound pcp sas:
outbound esp sas:
spi: 0x105F00FC(274661628)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2003, flow_id: 2, crypto map: R8
sa timing: remaining key lifetime (k/sec): (4607995/3341)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
spi: 0x6461DBF(105258431)
transform: ah-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: R8
sa timing: remaining key lifetime (k/sec): (4607995/3341)
replay detection support: Y
outbound pcp sas:
R2#
-------------------------------------------------------------------------------
-----------------------------------------------------------
Best Regard
Thierry
CCNA, CCDA, CCNP, spécialization ATM & SECURITY
Lab schedule february 15th - 16th 2001
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
>>> "Connary, Julie Ann" <jconnary@cisco.com> 22/01/01 16h42 >>>
Don't forget the key exchange either manual or via ISAKMP
Julie Ann
At 09:45 AM 1/22/2001 -0500, Rob Webber wrote:
>Here is what I have successfully done to run an IPSec connection through a
>tunnel:
>
>For running IPSec through a tunnel, first define the tunnel between the two
>physical interfaces on each router. Once the tunnel is working, define the
>IPSec peers between loopback interfaces. To do this you will need the crypto
>map mymap local-address loopback 0 command (to set the peer's local IPSec
>peer address).
>
>You will need some routing so that each router knows of the other's loopback
>address ? static routing, a routing protocol through the tunnel, etc.
>
>Enable the crypto map on both the physical interface and the tunnel
>interface.
>
>Best Regards, Rob.
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Stanford Wong - CNS
>Sent: Monday, January 22, 2001 4:43 AM
>To: Ccielab
>Subject: Question about IPSEC and Tunnels
>
>
>I have a question regarding IPSEC.
>
>Besides using a packet sniffer, how could you tell that your packets are
>indeed being encrypted? I have looked at the Cisco CD under this link -
>
>http://127.0.0.1:8080/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt
>4/scipsec.htm#xtocid2141717
>
>but the commands listed only shows you how to see if your configurations
>have been accepted.
>
>What I have been doing is setting up a tunnel between two routers. When you
>apply a the crypto map to the interface, do you apply it to the Tunnel
>interface or to the Physical interface? My feeling is to apply it to the
>tunnel interface but what IP do you set the peer address? to the distant
>tunnel IP or to the physical interface. Getting late and I think I am
>confusing the hell out of myself.
>
>attached are the two router configs......
>
>==================================================================
>rd#sho running-config
>
>crypto ipsec transform-set ccie esp-des esp-md5-hmac
>!
>crypto map test-ccie 10 ipsec-isakmp
> set peer 100.0.0.1
> set transform-set ccie
> match address 100
>!
>interface Loopback10
> ip addres˙s:
spi: 0x405464BA(1079s 10.4.4.1 255.255.255.0
>!
>interface Loopback20
> ip address 10.5.5.1 255.255.255.0
>!
>interface Tunnel0
> ip address 10.3.3.2 255.255.255.0
> tunnel source FastEthernet0
> tunnel destination 100.0.0.1
>
>interface FastEthernet0
> ip address 100.0.0.2 255.255.255.0
> speed auto
> crypto map test-ccie
>!
>router ospf 1
> log-adjacency-changes
> area 4 range 10.4.0.0 255.255.0.0
> area 5 range 10.5.5.0 255.255.255.0
> network 10.3.3.2 0.0.0.0 area 0
> network 10.4.4.1 0.0.0.0 area 4
> network 10.5.5.1 0.0.0.0 area 5
>!
>access-list 100 permit ip host 10.4.4.1 host 10.1.1.1
>=======================================================
>rc#sho running-config
>
>crypto ipsec transform-set ccie esp-des esp-md5-hmac
>!
>!
>crypto map test-ccie 10 ipsec-isakmp
> set peer 100.0.0.2
> set transform-set ccie
> match address 100
>cns event-service server
>!
>interface Loopback10
> ip address 10.1.1.1 255.255.255.0
> no ip directed-broadcast
>!
>interface Loopback20
> ip address 10.2.2.1 255.255.255.0
> no ip directed-broadcast
>!
>interface Tunnel1
> ip address 10.3.3.1 255.255.255.0
> no ip directed-broadcast
> tunnel source FastEthernet0
> tunnel destination 100.0.0.2
>!
>interface FastEthernet0
> ip address 100.0.0.1 255.255.255.0
> no ip directed-broadcast
> full-duplex
> crypto map test-ccie
>!
>router ospf 1
> network 10.1.1.1 0.0.0.0 area 1
> network 10.2.2.1 0.0.0.0 area 2
> network 10.3.3.1 0.0.0.0 area 0
>!
>access-list 100 permit ip host 10.1.1.1 host 10.4.4.1
>=====================================================
>
>Any constructive comments/enlightenment will be greatly appreciated....
>
>Stanford
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:42 GMT-3