RE: IPSec Lab Part 2

From: Gannon, Stephen [IT] (stephen.gannon@xxxxxxxxxxxxx)
Date: Thu Apr 18 2002 - 10:23:49 GMT-3

• Next message: Engelhard M. Labiro: "Re: DLSW: Direct Encapsulation"
• Previous message: MADMAN: "Re: Multiple instances oF ospf running on an 6509 MSFC card"
• Maybe in reply to: Dustin.Yates@xxxxxxxxxxxx: "IPSec Lab Part 2"
• Next in thread: Denise Donohue: "RE: IPSec Lab Part 2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Dustin,
I think you need a "crypto map telnet" on the serial interfaces as well.

SG

-----Original Message-----
From: Dustin.Yates@ercgroup.com [mailto:Dustin.Yates@ercgroup.com]
Sent: Wednesday, April 17, 2002 11:19 PM
To: ccielab@groupstudy.com
Subject: IPSec Lab Part 2

I'm working an IPSec series of labs that does have the solution for this
task. I put it on my lab routers, but I'm not sure if it's correct. Any
concerns with what I've proposed as a solution?

Requirement:
Provide for encryption of telnet sessions between R1's serial 0 interface
(1.1.1.1) and R2's serial 0 interface (2.2.2.2) through a GRE tunnel. Only
encrypt the telnet traffic.

My Solution:

on r1:
crypto isakmp policy 10
        auth pre-share
crypto isakmp key telnet-tunnel address 2.2.2.2
crypto ipsec transform-set telnet esp-des
crypto map telnet 10 ipsec-isakmp
        set peer 2.2.2.2
        set transform-set telnet
        match address 100

int tunnel 0
        ip unnumbered
        tunnel source serial 0
        tunnel destination 2.2.2.2
        crypto map telnet

int serial 0
        ip policy route-map telnet

route-map telnet permit 10
        match ip address 150
        set interface tunnel 0

access-list 100 permit gre host 1.1.1.1 host 2.2.2.2
access-list 150 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet

on r2:
crypto isakmp policy 10
        auth pre-share
crypto isakmp key telnet-tunnel address 1.1.1.1
crypto ipsec transform-set telnet esp-des
crypto map telnet 10 ipsec-isakmp
        set peer 1.1.1.1
        set transform-set telnet
        match address 100

int tunnel 0
        ip unnumbered
        tunnel source serial 0
        tunnel destination 1.1.1.1
        crypto map telnet

int serial 0
        ip policy route-map telnet

route-map telnet permit 10
        match ip address 150
        set interface tunnel 0

access-list 100 permit gre host 2.2.2.2 host 1.1.1.1
access-list 150 permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet

TIA! dy

• Next message: Engelhard M. Labiro: "Re: DLSW: Direct Encapsulation"
• Previous message: MADMAN: "Re: Multiple instances oF ospf running on an 6509 MSFC card"
• Maybe in reply to: Dustin.Yates@xxxxxxxxxxxx: "IPSec Lab Part 2"
• Next in thread: Denise Donohue: "RE: IPSec Lab Part 2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:12 GMT-3