Re: IPSec and first 5 pings timeout

From: Chuck Church (ccie8776@rochester.rr.com)
Date: Wed Feb 19 2003 - 20:03:29 GMT-3

• Next message: Voss, David: "DLSW FST"
• Previous message: Bob Sinclair: "Re: OT Multicast server software."
• Maybe in reply to: Cezar Fistik: "IPSec and first 5 pings timeout"
• Next in thread: OhioHondo: "RE: IPSec and first 5 pings timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

No, it's not really what I meant. You can use an extended ping to bring up
the tunnel, but in the diagram below:

host a---ethernet---RTRa-----serial-----RTRb---ethernet-- host b

You want a tunnel between RTRa and RTRb. You cannot put the cryptomaps on
any interfaces other than the serial interfaces.

Chuck Church
CCIE #8776, MCNE, MCSE

----- Original Message -----
From: "OhioHondo" <ohiohondo@columbus.rr.com>
To: "Chuck Church" <ccie8776@rochester.rr.com>; "Cezar Fistik"
<cfistik@moldovacc.md>; <ccielab@groupstudy.com>
Sent: Wednesday, February 19, 2003 4:25 PM
Subject: RE: IPSec and first 5 pings timeout

> Chuck
>
> I have used router interfaces for extended pings that have been processed
by
> a crypto map on the same router. (i.e. a 2611 with a crypto map on e0/0.
> Successfully do an extended ping, that is processed by the crypto map,
from
> the IP address on interface e0/1. Maybe that's not what you meant.
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Chuck
> Church
> Sent: Wednesday, February 19, 2003 1:56 PM
> To: Cezar Fistik; ccielab@groupstudy.com
> Subject: Re: IPSec and first 5 pings timeout
>
>
> Yes, and yes. Cryptomaps will only work with traffic coming into the
router
> on that interface. The router can't do crypto stuff to packets that are
> already internal to the router. As far as the time delay for the tunnel
to
> form, it's normal, especially with 2500s. 2600s and higher are much
faster.
> Only takes a second or two for the tunnel to form.
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
>
>
> ----- Original Message -----
> From: "Cezar Fistik" <cfistik@moldovacc.md>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, February 19, 2003 11:18 AM
> Subject: IPSec and first 5 pings timeout
>
>
> > Hi all,
> >
> > Yesterday I've spent some time playing with IPSec although I'm not sure
> > that this topic could appear on R&S lab. Anyway, here's what I noticed.
> >
> > 1. I couldn't make it work when the crypto map is applied to the
interface
> > that is on protected network. Only when I moved the crypto maps to the
> > interfaces that connect, let's say to the rest of the netwok, it started
> to
> > work. Is it normal? I used pre-shared key authentication.
> >
> > 2.When I tried to ping a host on the other side of the of the IPSec
tunnel
> > and if the IPSec tunnel is not established, the first 5 pings timeout. I
> > understand that this is due to ipsec and isakmp parameters negotiations
> and
> > so on.. but is it norma? Does it always work this way?
> >
> > Thank you very much
> > Cezar Fistik

• Next message: Voss, David: "DLSW FST"
• Previous message: Bob Sinclair: "Re: OT Multicast server software."
• Maybe in reply to: Cezar Fistik: "IPSec and first 5 pings timeout"
• Next in thread: OhioHondo: "RE: IPSec and first 5 pings timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:29 GMT-3