RE: More IPSec probs...

From: David A. Mack (mackd@xxxxxxxxxx)
Date: Sat Feb 24 2001 - 14:00:26 GMT-3

• Next message: Ronnie Royston: "RE: HSRP and OSPF???"
• Previous message: R. Benjamin Kessler: "RE: Off Topic - anyone else in this fix?"
• Maybe in reply to: fwells12: "More IPSec probs..."
• Next in thread: Devender Singh: "RE: More IPSec probs..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I think that I would personally check the requirement. Is it to encrypt the
Tunnel or is it to encrypt all ip traffic between the serial interfaces? I
agree with the layered approach and getting one thing working at time. I
usually get the tunnel working first then I encrypt it. However you can do
it the other way around and IPSec working first and then set up the tunnel
with the caveat of checking the requirement for encryption.

My $0.02
Dave

David A. Mack
Network Engineer
Fairfax, VA 22033

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Fabricio Aponte
Sent: Saturday, February 24, 2001 11:19 AM
To: 'David A. Mack'; 'fwells12'; ccielab@groupstudy.com
Subject: RE: More IPSec probs...

I would add GRE and leave IP from serial to serial. This way, if you need
to test, all you have to do is clear crypto and ping from serial to serial
and your association should come up. If it doesnt, then you need to go back
and troubleshoot.

fabricio

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
David A. Mack
Sent: Saturday, February 24, 2001 9:26 AM
To: 'Fabricio Aponte'; 'fwells12'; ccielab@groupstudy.com
Subject: RE: More IPSec probs...

I would also look at which protocol to match in the crypto access-list. In
this case you are encrypting GRE tunnels, so you want to match on gre
instead of ip. I have seen references on CCO and Networkers presentations
that state the you should use transport mode for ESP rather than the default
tunnel mode when encrypting GRE tunnels since they are already tunneled. You
can set this in the transform set.

HTH,
Dave

David A. Mack
Network Engineer
Fairfax, VA 22033

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Fabricio Aponte
Sent: Saturday, February 24, 2001 9:29 AM
To: 'fwells12'; ccielab@groupstudy.com
Subject: RE: More IPSec probs...

Your access lists are switched (source destination/destination source)

I would get IP to work first and then I would worry about IPX. (dont worry
about your tunnel interface)

show cry engine connections active is a command that will tell you if you
are encrypting or not.

Regards,

Fabricio

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
fwells12
Sent: Saturday, February 24, 2001 2:01 AM
To: ccielab@groupstudy.com
Subject: More IPSec probs...

Guys,
I am trying to run IPSec between to routers over a frame cloud using =
tunnels. I cannot get the isakamp security associations to register, =
and thus no traffic is being encrypted. Please give my configs the once =
over and see if you can see anything wrong with them. I have tried =
using a number of permutations of the access-lists and nothing has =
worked. You will notice I have IPX networks at each end of the network. =
 I would like to encrypt that traffic too. =20

I have debug running on ipsec/isakamp/engine and nothing is being =
registered. I guess I have the configs close but...

Router1:
-----------
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key tunnel address 10.1.1.4 255.0.0.0
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map crypmap 15 ipsec-isakmp
 set peer 10.1.1.4
 set transform-set cisco
 match address 100 =20
!
interface Tunnel4
 no ip address
 ipx network 1441
 tunnel source Serial0
 tunnel destination 10.1.1.4
 crypto map crypmap =20
!
interface Ethernet0
 mac-address 0001.0001.0001
 ip address 1.1.1.1 255.0.0.0
 no ip mroute-cache
 no keepalive
 ipx network 11 =20
!
interface Serial0
 ip address 10.1.1.1 255.0.0.0
 ip access-group 101 in
 encapsulation frame-relay
 no ip mroute-cache
 frame-relay lmi-type ansi
 crypto map crypmap =20
!
ip route 4.4.4.4 255.255.255.255 10.1.1.4 =20
!
access-list 100 permit ip host 10.1.1.4 host 10.1.1.1

Router2:
------------
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key tunnel address 10.1.1.1 255.0.0.0
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map crypmap 15 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set cisco
 match address 100
!
interface Tunnel1
 no ip address
 ipx network 1441
 tunnel source Serial0
 tunnel destination 10.1.1.1
 crypto map crypmap =20
!
interface Ethernet0
 mac-address 0004.0004.0004
 ip address 4.4.4.4 255.0.0.0
 no ip mroute-cache
 no keepalive
 ipx network 44
 no cdp enable =20
!
interface Serial0
 ip address 10.1.1.4 255.0.0.0
 ip access-group 101 in
 encapsulation frame-relay
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
 crypto map crypmap =20
!
ip route 1.1.1.1 255.255.255.255 10.1.1.1
!
access-list 100 permit ip host 10.1.1.1 host 10.1.1.4 =20

• Next message: Ronnie Royston: "RE: HSRP and OSPF???"
• Previous message: R. Benjamin Kessler: "RE: Off Topic - anyone else in this fix?"
• Maybe in reply to: fwells12: "More IPSec probs..."
• Next in thread: Devender Singh: "RE: More IPSec probs..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:59 GMT-3