From: Chuck Church (ccie8776@rochester.rr.com)
Date: Wed Feb 19 2003 - 15:55:57 GMT-3
Yes, and yes. Cryptomaps will only work with traffic coming into the router
on that interface. The router can't do crypto stuff to packets that are
already internal to the router. As far as the time delay for the tunnel to
form, it's normal, especially with 2500s. 2600s and higher are much faster.
Only takes a second or two for the tunnel to form.
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: "Cezar Fistik" <cfistik@moldovacc.md>
To: <ccielab@groupstudy.com>
Sent: Wednesday, February 19, 2003 11:18 AM
Subject: IPSec and first 5 pings timeout
> Hi all,
>
> Yesterday I've spent some time playing with IPSec although I'm not sure
> that this topic could appear on R&S lab. Anyway, here's what I noticed.
>
> 1. I couldn't make it work when the crypto map is applied to the interface
> that is on protected network. Only when I moved the crypto maps to the
> interfaces that connect, let's say to the rest of the netwok, it started
to
> work. Is it normal? I used pre-shared key authentication.
>
> 2.When I tried to ping a host on the other side of the of the IPSec tunnel
> and if the IPSec tunnel is not established, the first 5 pings timeout. I
> understand that this is due to ipsec and isakmp parameters negotiations
and
> so on.. but is it norma? Does it always work this way?
>
> Thank you very much
> Cezar Fistik
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:31 GMT-3