From: Hunt Lee (ciscoforme3@yahoo.com.au)
Date: Thu Nov 21 2002 - 10:39:54 GMT-3
I have 2 questions:
1)
IPSec
172.16.1.1/24 ----- RTA ============== RTB ------ 172.16.2.1/24
| |
192.168.1.0/24 192.168.2.0/24
Here are more info:-
RTA's Serial0 (connecting to RTB) - 10.64.10.13/27
RTB's Serial1 (connecting back to RTA) - 10.64.10.14/27
Both RTA & RTA are running EIGRP.
As per CCO, IPSec (without GRE) does not transfer routing protocols such as EIGRP /
OSPF etc. I have tested this on the above topology, but I can get the EIGRP routes
across from RTA to RTB & vice versa. What am I missing??
And here are the configs:-
And RTA:-
crypto isakmp policy 15
hash md5
authentication pre-share
!
crypto isakmp key 1234a address 10.64.10.14
!
!
crypto ipsec transform-set setOne esp-des esp-md5-hmac
!
crypto map combined local-address Serial1
!
crypto map combined 8 ipsec-isakmp
set peer 10.64.10.14
set transform-set setOne
match address 101
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
!
interface Serial0
ip address 172.16.1.1 255.255.255.0
no fair-queue
!
interface Serial1
ip address 10.64.10.13 255.255.255.224
no ip route-cache
no ip mroute-cache
clockrate 64000
crypto map combined
!
router eigrp 1
network 10.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
RTB:-
crypto isakmp policy 5
hash md5
authentication pre-share
!
!
crypto isakmp key 1234a address 10.64.10.13
!
crypto ipsec transform-set setTwo esp-des esp-md5-hmac
!
crypto map combined local-address Serial0
!
crypto map combined 13 ipsec-isakmp
set peer 10.64.10.13
set transform-set setTwo
match address 101
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0
ip address 172.16.2.1 255.255.255.0
!
interface Serial0
ip address 10.64.10.14 255.255.255.224
no fair-queue
crypto map combined
!
!
router eigrp 1
network 10.0.0.0
network 172.16.2.0 0.0.0.255
network 192.168.2.0
no auto-summary
no eigrp log-neighbor-changes
!
!
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
*** So instead of getting the EIGRP routes via Tunnel 0 inteface, I'm getting it via
the outgoing interface (serial 0), & the IPSec still works. So what am I missing,
and how does it make a difference if I use GRE over IPSec? I also tested RIPv2 &
getting similar results.
RTA#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, Serial0
D 172.16.2.0 [90/2195456] via 10.64.10.14, 00:36:16, Serial1
10.0.0.0/27 is subnetted, 1 subnets
C 10.64.10.0 is directly connected, Serial1
C 192.168.1.0/24 is directly connected, Loopback0
D 192.168.2.0/24 [90/2297856] via 10.64.10.14, 01:24:52, Serial1
RTA#
RTA#sh crypto engine connections act
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 0 0
2000 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 0 6
2001 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 6 0
RTA#
--2)
Most configs / examples I found on CCO and books use:
ccrypto ipsec transform-set setTwo esp-des
so when would one use:
ccrypto ipsec transform-set setTwo esp-des <mode transport> ??
Or is it generally not needed / recommended to use the mode transport? If anyone can give me some config e.g., that would be greatly appreciated.
Thanks, HL
http://www.yahoo.promo.com.au/hint/ - Yahoo! Hint Dropper - Avoid getting hideous gifts this Christmas with Yahoo! Hint Dropper!
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:08 GMT-3