From: Brian Lodwick (xpranax@xxxxxxxxxxx)
Date: Mon Oct 08 2001 - 09:53:48 GMT-3
No it's not required, but alot of people use it so that when ISAKMP is
establishing the IPSec tunnel it's communication is more secure.
I do agree with the last person who advised to set your match list is to use
GRE for the protocol. The only part I didn't agree with was the whole bit
about using transport mode. By default it will use tunnel mode so you
shouldn't have to change anything in your config.
Does your tunnel work now?
If it does, what fixed it?
>>>Brian
>From: Khalid Nafie <knafie@ncr.com.kw>
>To: Brian Lodwick <xpranax@hotmail.com>
>Subject: RE: IPSEC
>Date: Mon, 8 Oct 2001 13:18:57 +0300
>
>Thanks for ur effort,
> But am i supposed to used MD5 with the tunnel ?
>
>-----Original Message-----
>From: Brian Lodwick [mailto:xpranax@hotmail.com]
>Sent: Sunday, October 07, 2001 5:06 PM
>To: dre_mema@hotmail.com
>Cc: ccielab@groupstudy.com
>Subject: Re: IPSEC
>
>
>I disagree. My motto "There is no use for IPSec transport mode yet on a
>router" If you use Transport mode you are asking the router to strip off
>the
>
>current ip header (if you do this how will the packet ever make it back to
>the sender?) Transport mode is for secure communications with the router
>itself. A good application of IPSec transport mode would be if you had a
>UNIX box and you wanted to build tunnels out from there. With a router if
>you want the packets to be RE-ENCAPSULATED over top of the existing ip
>packet then you need to use tunnel mode.
>In the future I'm sure there will be requirements for say SMNP over a
>tunnel
>
>to communicate with a router?
>
>I believe the problem in your scenario Khaled is that you haven't applied
>the crypto map to the physical interface the GRE tunnel is using. If you
>are
>
>applying a crypto map to a GRE tunnel interface you MUST also apply the
>crypto map to the physical interface the GRE tunnel is using.
>Also I noticed you don't have an entry for ISAKMP to use a MD5 when
>establishing the IPSec tunnel.
>Good Luck.
>
> >>>Brian
>
> >From: "Mema Dre" <dre_mema@hotmail.com>
> >Reply-To: "Mema Dre" <dre_mema@hotmail.com>
> >To: knafie@ncr.com.kw
> >CC: ccielab@groupstudy.com
> >Subject: Re: IPSEC
> >Date: Sun, 07 Oct 2001 07:34:38 -0500
> >
> >If you want to IPSec your tunnel:
> >
> >1. You have to put IPSec into a transport mode
> >2. You have to apply crypto map on physical interface and the tunnel.
> >3. Access list 100 must be configured for GRE traffic
> >
> >
> >>From: Khalid Nafie <knafie@ncr.com.kw>
> >>Reply-To: Khalid Nafie <knafie@ncr.com.kw>
> >>To: "Ccielab (E-mail)" <ccielab@groupstudy.com>
> >>Subject: IPSEC
> >>Date: Sun, 7 Oct 2001 12:48:50 +0300
> >>
> >>Dear all,
> >> Does any one know y IPSEC works when I put the crypto map into the
> >>e2/0 (phisical interface), but doesn't work with the same configuration
> >>when
> >>i put the crypto map into Tunn2, here is my configuration:
> >>thx in advance;
> >>
> >>
> >>crypto isakmp policy 1
> >> authentication pre-share
> >>crypto isakmp key cisco address 62.7.1.2
> >>!
> >>!
> >>crypto ipsec transform-set cisco esp-des esp-md5-hmac
> >>!
> >> !
> >> crypto map toR2 10 ipsec-isakmp
> >> set peer 62.7.1.2
> >> set transform-set cisco
> >> match address 100
> >>!
> >>interface Tunnel2
> >> ip address 23.1.1.3 255.255.255.0
> >> no ip directed-broadcast
> >> tunnel source 62.9.3.3
> >> tunnel destination 62.7.1.2
> >>!
> >>interface Ethernet2/0
> >> ip address 62.9.3.3 255.255.0.0
> >> no ip directed-broadcast
> >> crypto map toR2
> >>!
> >>access-list 100 permit ip host 62.9.3.3 host 62.7.1.2
> >>================================================
> >>Yours,
> >>Khaled Nafie
> >>Network Engineer
> >>Customer Services
> >>MCSE,CCDP,CCNP VOICE ACCESS
> >>NCR Corporation, Kuwait
> >>Mob.: +965-9872046
> >>Tel : +965- 2412201, 2412203
> >>Fax : +965-2413075
> >>Having trouble posting? Read:
> >>http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:14 GMT-3