From: Tim Fletcher (tim@fletchmail.net)
Date: Fri Mar 28 2003 - 13:53:55 GMT-3
I would not put it on both because of the additional overhead. There's no
reason to encrypt it twice. My preference would be on the egress interface,
but I can't think of any reason why it couldn't be on the tunnel interface.
However, I usually don't even bother with tunnel interfaces when I'm doing
IPSEC.
-Tim Fletcher
At 03:04 PM 3/28/2003 +1000, Hunt Lee wrote:
>Hi Jason,
>
>With IPSec (together with GRE), you will need to put the crypto map
>statement on both the exit interface (e0) + on Tunnel interface (for GRE).
>
>Also, on the ACL, only permit gre rather than ip... so in this case...
>
>access-list 101 permit gre host 172.27.2.13 host 172.28.1.14
>
>Please correct me if I'm wrong ;)
>
>Regards,
>Hunt
>
>
>-----Original Message-----
>From: Jason Cash [mailto:cash2001@swbell.net]
>Sent: Friday, 28 March 2003 1:04 PM
>To: ccielab@groupstudy.com
>Subject: IPSEC - crypto map application
>
>
>I am curious as to the placement of the 'crypto map' statement. If
>there is a router with an Ethernet segment (e0) and tunnel interface
>(t0) going to another router multiple hops away via S0, where should the
>crypto maps be placed? Are they placed on the exiting interfaces (s0,
>t0) or all the interfaces (including e0)?
>
>The config I am working with lists:
>
>crypto isakmp policy 1
> authentication pre-share
>crypto isakmp key thor address 172.28.1.14
>!
>crypto ipsec transform-set rt10 esp-des esp-sha-hmac
>!
>crypto map securevpn 10 ipsec-isakmp
> set peer 172.28.1.14
> set transform-set rt10
> match address 123
>!
>interface Tunnel0
> ip address 23.1.1.13 255.255.255.0
> no ip directed-broadcast
> tunnel source 172.27.2.13
> tunnel destination 172.28.1.14
> crypto map securevpn
>!
>interface Ethernet0/0
> ip address 172.27.2.13 255.255.255.240
> crypto map securevpn
>
>
>but in this scenario, the E0 interface is the only exit. In the above
>mentioned scenario, would ALL three interfaces need it applied? One to
>encrypt the Ethernet traffic, one to send across the serial, and the
>other for the tunnel?
>
>
>Also, in many labs I have seen, the directions state to create a 'secure
>vpn' and all the answers include:
>
>crypto isakmp policy 1
>
>could you not have used cisco encryption or some other form as well ?
>
>r2(config)#crypto ?
> ca Certification authority
> cisco Configure cisco encryption policy
> dynamic-map Specify a dynamic crypto map template
> ipsec Configure IPSEC policy
> isakmp Configure ISAKMP policy
> key Long term key operations
> map Enter a crypto map
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:46 GMT-3