From: Justin Menga (Justin.Menga@xxxxxxxxxxxxxxxxxx)
Date: Sun Apr 15 2001 - 23:19:26 GMT-3
Easiest way is to use:
'show crypto engine connect active'
THis shows each SA, and has counters for each packet that is encrypted or
decrypted, and is very easy to read.
You can also use 'show crypto ipsec sa', but the information is harder to
find.
Regards,
Justin Menga CCIE #6640 CCNP/CCDP+Voice MCSE+I CCSE
WAN Specialist
Computerland New Zealand
PO Box 3631, Auckland
DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
mailto: justin.menga@computerland.co.nz
web: http://www.computerland.co.nz
CAUTION: This e-mail message and accompanying data may contain
information that is confidential and subject to privilege. If you are
not the intended recipient, you are notified that any use,
dissemination, distribution or copying of this message or data is
prohibited. If you have received this e-mail in error, please notify me
immediately and delete all material pertaining to this e-mail. Thank
you.
-----Original Message-----
From: Corey M. Ellis [mailto:corey.m.ellis@home.com]
Sent: Monday, April 16, 2001 1:33 PM
To: CCIE Mailist
Subject: How to check if IPSEC is working!!!
Hi all,
I have configured IPSEC, what I have done is tunneled ISIS between r5<-->r1.
I created a loopback on each router and put the interface in ISIS.
Everything was good in the IP routing table, and you could ping each
loopback. Now I wanted to encrypt this traffic. I configured IPSEC but now
I want to make sure it is working, I cut on all the crypto debug options,
but I don't get anything, so I how do you know if the encryption is taking
place. Please give show and debug commands to verify IPSEC.
Thanks
Corey M. Ellis
Configs
##### R5 #######
Current configuration:
!
! Last configuration change at 09:09:12 UTC Sun Apr 15 2001
! NVRAM config last updated at 03:48:40 UTC Sun Apr 15 2001
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r5
!
!
username r6ip password 0 ciscoip
username r6ipx password 0 ciscoip
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
ip multicast-routing
ip dvmrp route-limit 20000
clns routing
ipx routing 0005.0005.0005
isdn switch-type basic-ni
cns event-service server
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key ciscoipsec address 10.10.1.1
!
!
crypto ipsec transform-set mydesmd5 esp-des esp-md5-hmac
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 10.10.1.1
set transform-set mydesmd5
match address 120
!
!
!
!
interface Loopback0
ip address 5.5.5.5 255.255.255.0
ip pim dense-mode
ip igmp join-group 226.6.6.6
!
interface Loopback1
ip address 10.10.5.5 255.255.255.0
ip router isis
!
interface Tunnel0
ip address 10.10.1.5 255.255.255.0
ip router isis
tunnel source 5.5.5.5
tunnel destination 1.1.1.1
crypto map CRYPTOMAP
!
interface Ethernet0
no ip address
shutdown
!
interface Serial0
no ip address
encapsulation frame-relay
!
interface Serial0.1 multipoint
ip address 172.16.1.5 255.255.255.0
ip pim dense-mode
ip ospf network point-to-multipoint
ipx network 6540
no ipx split-horizon eigrp 1
frame-relay map ip 172.16.1.4 504 broadcast
frame-relay map ip 172.16.1.6 506 broadcast
frame-relay map ipx 6540.0004.0004.0004 504 broadcast
frame-relay map ipx 6540.0006.0006.0006 506 broadcast
!
interface Serial0.2 point-to-point
ip address 172.16.2.5 255.255.255.0
ip pim dense-mode
ipx network 5003
frame-relay interface-dlci 503
!
interface Serial1
no ip address
shutdown
!
interface Serial2
no ip address
shutdown
!
interface Serial3
no ip address
shutdown
!
interface BRI0
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 3840200001 384020
isdn spid2 3840200002 384030
no peer neighbor-route
ppp authentication chap
!
interface Dialer0
ip address 172.16.15.5 255.255.255.0
encapsulation ppp
dialer remote-name r6ip
dialer pool 1
dialer max-call 4096
dialer-group 2
ppp authentication chap
!
interface Dialer1
no ip address
encapsulation ppp
dialer remote-name r6ipx
dialer pool 1
dialer max-call 4096
dialer-group 3
ipx network 5006
snapshot server 5
ppp authentication chap
!
router ospf 1
summary-address 172.16.240.0 255.255.248.0
redistribute rip subnets
network 5.5.5.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
network 172.16.15.0 0.0.0.255 area 15
!
router isis
net 49.0001.5555.5555.5555.00
!
router rip
version 1
redistribute ospf 1
passive-interface default
no passive-interface Dialer1
no passive-interface Loopback1
no passive-interface Serial0.2
no passive-interface Tunnel0
network 172.16.0.0
default-information originate
default-metric 3
no auto-summary
!
router bgp 6000
bgp confederation identifier 1
bgp confederation peers 6001
neighbor 6.6.6.6 remote-as 6000
neighbor 6.6.6.6 update-source Loopback0
neighbor 172.16.1.4 remote-as 6001
no auto-summary
!
ip classless
no ip http server
!
access-list 101 deny ospf any any
access-list 101 permit ip any any
access-list 120 permit ip 10.10.5.0 0.0.0.255 10.10.6.0 0.0.0.255
dialer-list 1 protocol ip list 101
dialer-list 2 protocol ip permit
dialer-list 3 protocol ipx permit
!
!
!
ipx router eigrp 1
network 6540
!
!
ipx router rip
no network 6540
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
transport input none
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
ntp authentication-key 1 md5 060506324F41 7
ntp authenticate
ntp trusted-key 1
ntp master 2
end
###### R1 ######
Current configuration:
!
! Last configuration change at 08:58:12 UTC Sun Apr 15 2001
! NVRAM config last updated at 03:48:25 UTC Sun Apr 15 2001
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
!
username all
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
ip multicast-routing
ip dvmrp route-limit 20000
clns routing
ipx routing 0001.0001.0001
ipx internal-network 11
cns event-service server
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key ciscoipsec address 10.10.1.5
!
!
crypto ipsec transform-set mydesmd5 esp-des esp-md5-hmac
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 10.10.1.5
set transform-set mydesmd5
match address 120
!
!
!
!
interface Loopback0
ip address 172.16.50.26 255.255.255.252
ipx network 1110
!
interface Loopback1
ip address 172.16.50.29 255.255.255.252
ipx network 1111
!
interface Loopback2
ip address 172.16.50.33 255.255.255.252
ipx network 1112
!
interface Loopback3
ip address 1.1.1.1 255.255.255.0
ip pim dense-mode
ipx network 1113
!
interface Loopback4
ip address 10.10.6.1 255.255.255.0
ip router isis
!
interface Tunnel0
no ip address
ipx network 1004
ipx nlsp enable
tunnel source 1.1.1.1
tunnel destination 4.4.4.4
!
interface Tunnel1
ip address 10.10.1.1 255.255.255.0
ip router isis
tunnel source 1.1.1.1
tunnel destination 5.5.5.5
crypto map CRYPTOMAP
!
interface Ethernet0
no ip address
shutdown
!
interface Serial0
ip address 172.16.129.1 255.255.252.0
ip pim dense-mode
ip summary-address eigrp 1 172.16.50.0 255.255.255.192 5
no fair-queue
!
interface Serial1
ip address 11.11.11.1 255.255.255.0
ip pim dense-mode
!
router eigrp 1
redistribute bgp 6001
network 1.1.1.0 0.0.0.255
network 172.16.0.0
no auto-summary
!
router isis
net 49.0001.1111.1111.1111.00
!
router bgp 6001
bgp confederation identifier 1
bgp confederation peers 6000
neighbor 4.4.4.4 remote-as 6001
neighbor 11.11.11.2 remote-as 2
no auto-summary
!
ip classless
no ip http server
!
access-list 120 permit ip 10.10.6.0 0.0.0.255 10.10.5.0 0.0.0.255
!
!
!
ipx router nlsp
area-address 0 0
!
!
no ipx router rip
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
transport input none
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
ntp authentication-key 1 md5 070C285F4D06 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179994
ntp peer 4.4.4.4
end
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:46 GMT-3