From: Mark Salmon (masalmon@xxxxxxxxx)
Date: Mon Apr 16 2001 - 08:51:20 GMT-3
I used ping from a subnet that is supposed to be encrypted. I also turned on
debug ip sec on the remote router. I first disable IP Sec then make sure I can
ping. If that works, I then turn on IP sec on one router only. I try to ping
again. That should fail. I then configure it on both routers and if done
right, it should be successful.
"Corey M. Ellis" wrote:
> Hi all,
>
> I have configured IPSEC, what I have done is tunneled ISIS between r5<-->r1.
> I created a loopback on each router and put the interface in ISIS.
> Everything was good in the IP routing table, and you could ping each
> loopback. Now I wanted to encrypt this traffic. I configured IPSEC but now
> I want to make sure it is working, I cut on all the crypto debug options,
> but I don't get anything, so I how do you know if the encryption is taking
> place. Please give show and debug commands to verify IPSEC.
>
> Thanks
>
> Corey M. Ellis
>
> Configs
>
> ##### R5 #######
>
> Current configuration:
> !
> ! Last configuration change at 09:09:12 UTC Sun Apr 15 2001
> ! NVRAM config last updated at 03:48:40 UTC Sun Apr 15 2001
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r5
> !
> !
> username r6ip password 0 ciscoip
> username r6ipx password 0 ciscoip
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> ip multicast-routing
> ip dvmrp route-limit 20000
> clns routing
> ipx routing 0005.0005.0005
> isdn switch-type basic-ni
> cns event-service server
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key ciscoipsec address 10.10.1.1
> !
> !
> crypto ipsec transform-set mydesmd5 esp-des esp-md5-hmac
> !
> crypto map CRYPTOMAP 10 ipsec-isakmp
> set peer 10.10.1.1
> set transform-set mydesmd5
> match address 120
> !
> !
> !
> !
> interface Loopback0
> ip address 5.5.5.5 255.255.255.0
> ip pim dense-mode
> ip igmp join-group 226.6.6.6
> !
> interface Loopback1
> ip address 10.10.5.5 255.255.255.0
> ip router isis
> !
> interface Tunnel0
> ip address 10.10.1.5 255.255.255.0
> ip router isis
> tunnel source 5.5.5.5
> tunnel destination 1.1.1.1
> crypto map CRYPTOMAP
> !
> interface Ethernet0
> no ip address
> shutdown
> !
> interface Serial0
> no ip address
> encapsulation frame-relay
> !
> interface Serial0.1 multipoint
> ip address 172.16.1.5 255.255.255.0
> ip pim dense-mode
> ip ospf network point-to-multipoint
> ipx network 6540
> no ipx split-horizon eigrp 1
> frame-relay map ip 172.16.1.4 504 broadcast
> frame-relay map ip 172.16.1.6 506 broadcast
> frame-relay map ipx 6540.0004.0004.0004 504 broadcast
> frame-relay map ipx 6540.0006.0006.0006 506 broadcast
> !
> interface Serial0.2 point-to-point
> ip address 172.16.2.5 255.255.255.0
> ip pim dense-mode
> ipx network 5003
> frame-relay interface-dlci 503
> !
> interface Serial1
> no ip address
> shutdown
> !
> interface Serial2
> no ip address
> shutdown
> !
> interface Serial3
> no ip address
> shutdown
> !
> interface BRI0
> no ip address
> encapsulation ppp
> shutdown
> dialer pool-member 1
> isdn switch-type basic-ni
> isdn spid1 3840200001 384020
> isdn spid2 3840200002 384030
> no peer neighbor-route
> ppp authentication chap
> !
> interface Dialer0
> ip address 172.16.15.5 255.255.255.0
> encapsulation ppp
> dialer remote-name r6ip
> dialer pool 1
> dialer max-call 4096
> dialer-group 2
> ppp authentication chap
> !
> interface Dialer1
> no ip address
> encapsulation ppp
> dialer remote-name r6ipx
> dialer pool 1
> dialer max-call 4096
> dialer-group 3
> ipx network 5006
> snapshot server 5
> ppp authentication chap
> !
> router ospf 1
> summary-address 172.16.240.0 255.255.248.0
> redistribute rip subnets
> network 5.5.5.0 0.0.0.255 area 0
> network 172.16.1.0 0.0.0.255 area 0
> network 172.16.15.0 0.0.0.255 area 15
> !
> router isis
> net 49.0001.5555.5555.5555.00
> !
> router rip
> version 1
> redistribute ospf 1
> passive-interface default
> no passive-interface Dialer1
> no passive-interface Loopback1
> no passive-interface Serial0.2
> no passive-interface Tunnel0
> network 172.16.0.0
> default-information originate
> default-metric 3
> no auto-summary
> !
> router bgp 6000
> bgp confederation identifier 1
> bgp confederation peers 6001
> neighbor 6.6.6.6 remote-as 6000
> neighbor 6.6.6.6 update-source Loopback0
> neighbor 172.16.1.4 remote-as 6001
> no auto-summary
> !
> ip classless
> no ip http server
> !
> access-list 101 deny ospf any any
> access-list 101 permit ip any any
> access-list 120 permit ip 10.10.5.0 0.0.0.255 10.10.6.0 0.0.0.255
> dialer-list 1 protocol ip list 101
> dialer-list 2 protocol ip permit
> dialer-list 3 protocol ipx permit
> !
> !
> !
> ipx router eigrp 1
> network 6540
> !
> !
> ipx router rip
> no network 6540
> !
> !
> !
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> transport input none
> line aux 0
> line vty 0 4
> exec-timeout 0 0
> logging synchronous
> login
> !
> ntp authentication-key 1 md5 060506324F41 7
> ntp authenticate
> ntp trusted-key 1
> ntp master 2
> end
>
> ###### R1 ######
>
> Current configuration:
> !
> ! Last configuration change at 08:58:12 UTC Sun Apr 15 2001
> ! NVRAM config last updated at 03:48:25 UTC Sun Apr 15 2001
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r1
> !
> !
> username all
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> ip multicast-routing
> ip dvmrp route-limit 20000
> clns routing
> ipx routing 0001.0001.0001
> ipx internal-network 11
> cns event-service server
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key ciscoipsec address 10.10.1.5
> !
> !
> crypto ipsec transform-set mydesmd5 esp-des esp-md5-hmac
> !
> crypto map CRYPTOMAP 10 ipsec-isakmp
> set peer 10.10.1.5
> set transform-set mydesmd5
> match address 120
> !
> !
> !
> !
> interface Loopback0
> ip address 172.16.50.26 255.255.255.252
> ipx network 1110
> !
> interface Loopback1
> ip address 172.16.50.29 255.255.255.252
> ipx network 1111
> !
> interface Loopback2
> ip address 172.16.50.33 255.255.255.252
> ipx network 1112
> !
> interface Loopback3
> ip address 1.1.1.1 255.255.255.0
> ip pim dense-mode
> ipx network 1113
> !
> interface Loopback4
> ip address 10.10.6.1 255.255.255.0
> ip router isis
> !
> interface Tunnel0
> no ip address
> ipx network 1004
> ipx nlsp enable
> tunnel source 1.1.1.1
> tunnel destination 4.4.4.4
> !
> interface Tunnel1
> ip address 10.10.1.1 255.255.255.0
> ip router isis
> tunnel source 1.1.1.1
> tunnel destination 5.5.5.5
> crypto map CRYPTOMAP
> !
> interface Ethernet0
> no ip address
> shutdown
> !
> interface Serial0
> ip address 172.16.129.1 255.255.252.0
> ip pim dense-mode
> ip summary-address eigrp 1 172.16.50.0 255.255.255.192 5
> no fair-queue
> !
> interface Serial1
> ip address 11.11.11.1 255.255.255.0
> ip pim dense-mode
> !
> router eigrp 1
> redistribute bgp 6001
> network 1.1.1.0 0.0.0.255
> network 172.16.0.0
> no auto-summary
> !
> router isis
> net 49.0001.1111.1111.1111.00
> !
> router bgp 6001
> bgp confederation identifier 1
> bgp confederation peers 6000
> neighbor 4.4.4.4 remote-as 6001
> neighbor 11.11.11.2 remote-as 2
> no auto-summary
> !
> ip classless
> no ip http server
> !
> access-list 120 permit ip 10.10.6.0 0.0.0.255 10.10.5.0 0.0.0.255
> !
> !
> !
> ipx router nlsp
> area-address 0 0
> !
> !
> no ipx router rip
> !
> !
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> transport input none
> line aux 0
> line vty 0 4
> exec-timeout 0 0
> logging synchronous
> login
> !
> ntp authentication-key 1 md5 070C285F4D06 7
> ntp authenticate
> ntp trusted-key 1
> ntp clock-period 17179994
> ntp peer 4.4.4.4
> end
> **Please read:http://www.groupstudy.com/list/posting.html
--Mark Salmon Network Support Engineer - SBC OP HQ Cisco Systems Inc 8735 W. Higgins Road Suite 300 Chicago IL 60631 Phone:773-695-8235 Pager:800-365-4578 email: masalmon@cisco.com Empowering The Internet Generation. **Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:47 GMT-3