From: Paul Lalonde (plalonde2@cogeco.ca)
Date: Wed Feb 19 2003 - 13:31:42 GMT-3
Hi Cezar,
Yes, the crypto maps get applied to the external interface. This is because
IPSEC terminates onto the public (ie. Internet) interface.
And yes, PING timeouts are common on the first IPSEC connection, but in my
experience, the security associations get built within the 1st or 2nd PING
packet. But as long as the SA gets built and PINGs get through, everything
looks good!
Regards,
Paul Lalonde
----- Original Message -----
From: "Cezar Fistik" <cfistik@moldovacc.md>
To: <ccielab@groupstudy.com>
Sent: Wednesday, February 19, 2003 11:18 AM
Subject: IPSec and first 5 pings timeout
> Hi all,
>
> Yesterday I've spent some time playing with IPSec although I'm not sure
> that this topic could appear on R&S lab. Anyway, here's what I noticed.
>
> 1. I couldn't make it work when the crypto map is applied to the interface
> that is on protected network. Only when I moved the crypto maps to the
> interfaces that connect, let's say to the rest of the netwok, it started
to
> work. Is it normal? I used pre-shared key authentication.
>
> 2.When I tried to ping a host on the other side of the of the IPSec tunnel
> and if the IPSec tunnel is not established, the first 5 pings timeout. I
> understand that this is due to ipsec and isakmp parameters negotiations
and
> so on.. but is it norma? Does it always work this way?
>
> Thank you very much
> Cezar Fistik
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:30 GMT-3