From: Roth, Joshua (JRoth@spectrumccsi.com)
Date: Fri Mar 28 2003 - 02:23:00 GMT-3
Your going to place the crypto map on the interface of the segment your
trying to encrypt (e0) and on the tunnel interface also.
-----Original Message-----
From: Jason Cash [mailto:cash2001@swbell.net]
Sent: Thursday, March 27, 2003 7:04 PM
To: ccielab@groupstudy.com
Subject: IPSEC - crypto map application
I am curious as to the placement of the 'crypto map' statement. If
there is a router with an Ethernet segment (e0) and tunnel interface
(t0) going to another router multiple hops away via S0, where should the
crypto maps be placed? Are they placed on the exiting interfaces (s0,
t0) or all the interfaces (including e0)?
The config I am working with lists:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key thor address 172.28.1.14
!
crypto ipsec transform-set rt10 esp-des esp-sha-hmac
!
crypto map securevpn 10 ipsec-isakmp
set peer 172.28.1.14
set transform-set rt10
match address 123
!
interface Tunnel0
ip address 23.1.1.13 255.255.255.0
no ip directed-broadcast
tunnel source 172.27.2.13
tunnel destination 172.28.1.14
crypto map securevpn
!
interface Ethernet0/0
ip address 172.27.2.13 255.255.255.240
crypto map securevpn
but in this scenario, the E0 interface is the only exit. In the above
mentioned scenario, would ALL three interfaces need it applied? One to
encrypt the Ethernet traffic, one to send across the serial, and the
other for the tunnel?
Also, in many labs I have seen, the directions state to create a 'secure
vpn' and all the answers include:
crypto isakmp policy 1
could you not have used cisco encryption or some other form as well ?
r2(config)#crypto ?
ca Certification authority
cisco Configure cisco encryption policy
dynamic-map Specify a dynamic crypto map template
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
map Enter a crypto map
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:45 GMT-3