Re: IPSEC

From: Brian Lodwick (xpranax@xxxxxxxxxxx)
Date: Sun Oct 07 2001 - 21:06:21 GMT-3

• Next message: Brian: "l2tp thru NAT"
• Previous message: Brian Lodwick: "Re: TCP ports>>> you mean UDP?"
• Maybe in reply to: Khalid Nafie: "IPSEC"
• Next in thread: Brian Lodwick: "RE: IPSEC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I disagree. My motto "There is no use for IPSec transport mode yet on a
router" If you use Transport mode you are asking the router to strip off the
current ip header (if you do this how will the packet ever make it back to
the sender?) Transport mode is for secure communications with the router
itself. A good application of IPSec transport mode would be if you had a
UNIX box and you wanted to build tunnels out from there. With a router if
you want the packets to be RE-ENCAPSULATED over top of the existing ip
packet then you need to use tunnel mode.
In the future I'm sure there will be requirements for say SMNP over a tunnel
to communicate with a router?

I believe the problem in your scenario Khaled is that you haven't applied
the crypto map to the physical interface the GRE tunnel is using. If you are
applying a crypto map to a GRE tunnel interface you MUST also apply the
crypto map to the physical interface the GRE tunnel is using.
Also I noticed you don't have an entry for ISAKMP to use a MD5 when
establishing the IPSec tunnel.
Good Luck.

>>>Brian

>From: "Mema Dre" <dre_mema@hotmail.com>
>Reply-To: "Mema Dre" <dre_mema@hotmail.com>
>To: knafie@ncr.com.kw
>CC: ccielab@groupstudy.com
>Subject: Re: IPSEC
>Date: Sun, 07 Oct 2001 07:34:38 -0500
>
>If you want to IPSec your tunnel:
>
>1. You have to put IPSec into a transport mode
>2. You have to apply crypto map on physical interface and the tunnel.
>3. Access list 100 must be configured for GRE traffic
>
>
>>From: Khalid Nafie <knafie@ncr.com.kw>
>>Reply-To: Khalid Nafie <knafie@ncr.com.kw>
>>To: "Ccielab (E-mail)" <ccielab@groupstudy.com>
>>Subject: IPSEC
>>Date: Sun, 7 Oct 2001 12:48:50 +0300
>>
>>Dear all,
>> Does any one know y IPSEC works when I put the crypto map into the
>>e2/0 (phisical interface), but doesn't work with the same configuration
>>when
>>i put the crypto map into Tunn2, here is my configuration:
>>thx in advance;
>>
>>
>>crypto isakmp policy 1
>> authentication pre-share
>>crypto isakmp key cisco address 62.7.1.2
>>!
>>!
>>crypto ipsec transform-set cisco esp-des esp-md5-hmac
>>!
>> !
>> crypto map toR2 10 ipsec-isakmp
>> set peer 62.7.1.2
>> set transform-set cisco
>> match address 100
>>!
>>interface Tunnel2
>> ip address 23.1.1.3 255.255.255.0
>> no ip directed-broadcast
>> tunnel source 62.9.3.3
>> tunnel destination 62.7.1.2
>>!
>>interface Ethernet2/0
>> ip address 62.9.3.3 255.255.0.0
>> no ip directed-broadcast
>> crypto map toR2
>>!
>>access-list 100 permit ip host 62.9.3.3 host 62.7.1.2
>>================================================
>>Yours,
>>Khaled Nafie
>>Network Engineer
>>Customer Services
>>MCSE,CCDP,CCNP VOICE ACCESS
>>NCR Corporation, Kuwait
>>Mob.: +965-9872046
>>Tel : +965- 2412201, 2412203
>>Fax : +965-2413075
>>Having trouble posting? Read:
>>http://www.groupstudy.com/list/posting.html

• Next message: Brian: "l2tp thru NAT"
• Previous message: Brian Lodwick: "Re: TCP ports>>> you mean UDP?"
• Maybe in reply to: Khalid Nafie: "IPSEC"
• Next in thread: Brian Lodwick: "RE: IPSEC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:14 GMT-3