RE: IPSec + Nat

From: Simon Baxter (Simon.Baxter@xxxxxxxxxxxxxx)
Date: Mon Feb 12 2001 - 02:24:42 GMT-3

• Next message: John Kaberna: "Re: IPSec + Nat"
• Previous message: Simon Baxter: "RE: IPSec + Nat"
• Maybe in reply to: Simon Baxter: "IPSec + Nat"
• Next in thread: John Kaberna: "Re: IPSec + Nat"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I now have two simultaneous tunnels working from R4 to R7.

1) from loopback 10.1.1.1, overload-translating on the serial interface then
IPSec tunnelling to a remote 192.168.70.1 address.

&

2) from loopback 10.1.1.1 (again), not natting, tunnelling to a remote
50.50.50.1 address.

tests & configs....

R4#ping
Protocol [ip]:
Target IP address: 192.168.70.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/125/128 ms
R4#ping
Protocol [ip]:
Target IP address: 50.50.50.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.50.50.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/125/128 ms
R4#

R7#sh cry ips sa | incl #
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest 29
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0
R7#sh cry ips sa | incl #
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0
    #pkts encaps: 34, #pkts encrypt: 34, #pkts digest 34
    #pkts decaps: 34, #pkts decrypt: 34, #pkts verify 34
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0
R7#sh cry ips sa | incl #
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0
    #pkts encaps: 34, #pkts encrypt: 34, #pkts digest 34
    #pkts decaps: 34, #pkts decrypt: 34, #pkts verify 34
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0
R7#

configs....

R4#
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key key address 192.168.17.2
!
!
crypto ipsec transform-set tf ah-sha-hmac esp-des
!
!
crypto map map 1 ipsec-isakmp
 set peer 192.168.17.2
 set transform-set tf
 match address 100
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
!
interface Serial0.1 point-to-point
 ip address 172.168.200.2 255.255.255.0
 no ip directed-broadcast
 ip nat outside
 ip pim sparse-mode
 frame-relay interface-dlci 405
 crypto map map
!
ip nat inside source list 110 interface Serial0.1 overload
ip route 50.50.50.0 255.255.255.0 Serial0.1
!
access-list 1 permit 10.1.1.1
access-list 100 permit ip host 10.1.1.1 host 50.50.50.1
access-list 100 permit ip host 172.168.200.2 host 192.168.70.1
access-list 110 permit ip host 10.1.1.1 host 192.168.70.1

R7#
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key key address 172.168.200.2
!
!
crypto ipsec transform-set tf ah-sha-hmac esp-des
!
crypto map map 1 ipsec-isakmp
 set peer 172.168.200.2
 set transform-set tf
 match address 101
!
interface Loopback5
 ip address 50.50.50.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.17.2 255.255.255.0
!
interface TokenRing4/0
 ip address 192.168.70.1 255.255.255.0
 ring-speed 16
!
ip route 10.0.0.0 255.0.0.0 FastEthernet0/0
!
access-list 101 permit ip host 50.50.50.1 host 10.1.1.1
access-list 101 permit ip host 192.168.70.1 host 172.168.200.2

Thanks for all your help!!!!!!

• Next message: John Kaberna: "Re: IPSec + Nat"
• Previous message: Simon Baxter: "RE: IPSec + Nat"
• Maybe in reply to: Simon Baxter: "IPSec + Nat"
• Next in thread: John Kaberna: "Re: IPSec + Nat"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:45 GMT-3