Re: IPSec + Nat

From: John Kaberna (jkaberna@xxxxxxxxxxxx)
Date: Mon Feb 12 2001 - 01:31:58 GMT-3

• Next message: chenriqu: "VOIP"
• Previous message: Simon Baxter: "RE: IPSec + Nat"
• Maybe in reply to: Simon Baxter: "IPSec + Nat"
• Next in thread: NoOne Important: "Re: IPSec + Nat"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Good job. Glad it works.

----- Original Message -----
From: Simon Baxter <Simon.Baxter@au.logical.com>
To: 'John Kaberna' <jkaberna@netcginc.com>; 'James Zhou'
<zhoucm@holybridge.com.cn>
Cc: 'CCIE Group Study (E-mail)' <ccielab@groupstudy.com>
Sent: Sunday, February 11, 2001 9:24 PM
Subject: RE: IPSec + Nat

> I now have two simultaneous tunnels working from R4 to R7.
>
> 1) from loopback 10.1.1.1, overload-translating on the serial interface
then
> IPSec tunnelling to a remote 192.168.70.1 address.
>
> &
>
> 2) from loopback 10.1.1.1 (again), not natting, tunnelling to a remote
> 50.50.50.1 address.
>
> tests & configs....
>
> R4#ping
> Protocol [ip]:
> Target IP address: 192.168.70.1
> Repeat count [5]:
> Datagram size [100]:
> Timeout in seconds [2]:
> Extended commands [n]: y
> Source address or interface: 10.1.1.1
> Type of service [0]:
> Set DF bit in IP header? [no]:
> Validate reply data? [no]:
> Data pattern [0xABCD]:
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Sweep range of sizes [n]:
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.70.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 124/125/128 ms
> R4#ping
> Protocol [ip]:
> Target IP address: 50.50.50.1
> Repeat count [5]:
> Datagram size [100]:
> Timeout in seconds [2]:
> Extended commands [n]: y
> Source address or interface: 10.1.1.1
> Type of service [0]:
> Set DF bit in IP header? [no]:
> Validate reply data? [no]:
> Data pattern [0xABCD]:
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Sweep range of sizes [n]:
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 50.50.50.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 124/125/128 ms
> R4#
>
>
> R7#sh cry ips sa | incl #
> #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
> #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> #send errors 0, #recv errors 0
> #pkts encaps: 29, #pkts encrypt: 29, #pkts digest 29
> #pkts decaps: 29, #pkts decrypt: 29, #pkts verify 29
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> #send errors 0, #recv errors 0
> R7#sh cry ips sa | incl #
> #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
> #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> #send errors 0, #recv errors 0
> #pkts encaps: 34, #pkts encrypt: 34, #pkts digest 34
> #pkts decaps: 34, #pkts decrypt: 34, #pkts verify 34
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> #send errors 0, #recv errors 0
> R7#sh cry ips sa | incl #
> #pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
> #pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> #send errors 0, #recv errors 0
> #pkts encaps: 34, #pkts encrypt: 34, #pkts digest 34
> #pkts decaps: 34, #pkts decrypt: 34, #pkts verify 34
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> #send errors 0, #recv errors 0
> R7#
>
>
>
>
> configs....
>
>
> R4#
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key key address 192.168.17.2
> !
> !
> crypto ipsec transform-set tf ah-sha-hmac esp-des
> !
> !
> crypto map map 1 ipsec-isakmp
> set peer 192.168.17.2
> set transform-set tf
> match address 100
> !
> interface Loopback1
> ip address 10.1.1.1 255.255.255.0
> ip nat inside
> !
> interface Serial0.1 point-to-point
> ip address 172.168.200.2 255.255.255.0
> no ip directed-broadcast
> ip nat outside
> ip pim sparse-mode
> frame-relay interface-dlci 405
> crypto map map
> !
> ip nat inside source list 110 interface Serial0.1 overload
> ip route 50.50.50.0 255.255.255.0 Serial0.1
> !
> access-list 1 permit 10.1.1.1
> access-list 100 permit ip host 10.1.1.1 host 50.50.50.1
> access-list 100 permit ip host 172.168.200.2 host 192.168.70.1
> access-list 110 permit ip host 10.1.1.1 host 192.168.70.1
>
>
> R7#
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key key address 172.168.200.2
> !
> !
> crypto ipsec transform-set tf ah-sha-hmac esp-des
> !
> crypto map map 1 ipsec-isakmp
> set peer 172.168.200.2
> set transform-set tf
> match address 101
> !
> interface Loopback5
> ip address 50.50.50.1 255.255.255.0
> !
> interface FastEthernet0/0
> ip address 192.168.17.2 255.255.255.0
> !
> interface TokenRing4/0
> ip address 192.168.70.1 255.255.255.0
> ring-speed 16
> !
> ip route 10.0.0.0 255.0.0.0 FastEthernet0/0
> !
> access-list 101 permit ip host 50.50.50.1 host 10.1.1.1
> access-list 101 permit ip host 192.168.70.1 host 172.168.200.2
>
>
>
> Thanks for all your help!!!!!!
>

• Next message: chenriqu: "VOIP"
• Previous message: Simon Baxter: "RE: IPSec + Nat"
• Maybe in reply to: Simon Baxter: "IPSec + Nat"
• Next in thread: NoOne Important: "Re: IPSec + Nat"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:45 GMT-3