From: Murali Sethuraman (murali68@emirates.net.ae)
Date: Sat Apr 17 2004 - 14:48:10 GMT-3
Hi,
I understand this to do with the positioning of the AH & ESP headers
immly following the IPV4 header and which ever protocol is referred in
the IPV4 will result in the matching ACL to allow the traffic.
Best Regards,
Murali Sethuraman
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
kalis thomas
Sent: Saturday, April 17, 2004 4:10 AM
To: security@groupstudy.com
Subject: re: using both ESP and AH for IPSEC VPN between two routers
Hello. Have the following IPSEC configuration between two 2500 routers
running 12.1(3)T whereby within my IPSEC transform-set I am defining
both the use of AH and ESP. Everything is working fine and the
respective tunnel comes up, however concerned about one issue:
a. Why am I not seeing any matches on the access-list line for ESP?
[Note tried w/GRE and yielded the same result as expected of course]
***Point of note, if change the transform-set to the following 'crypto
ipsec transform-set MYSET esp-des esp-sha-hmac', then receive esp
matches against the acl-note matches not shown below- but would think I
should also see matches in the configuration provided below.
Thanks in advance,
TJ
Respective configs and show commands included below.
R1#sh run
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
!
!
!
!
!
ip subnet-zero
ip telnet source-interface Ethernet0
no ip domain-lookup
ip domain-name cisco.com
ip host R2.cisco.com 40.2.2.2
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
crypto isakmp policy 10
authentication rsa-encr
group 2
!
!
crypto ipsec transform-set MYSET ah-sha-hmac esp-des esp-sha-hmac
!
crypto key pubkey-chain rsa
addressed-key 40.2.2.2
address 40.2.2.2
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DCCCBF
87F28A2F
1A1DD99E 44364622 9B476661 D1C18696 896E7774 DB67E611 D09D6981
C384C5D7
9B052354 9A35496A A7EB38BB C3458A79 A39CF10B B6528F6C 6B020301 0001
quit
!
crypto map MYMAP 10 ipsec-isakmp
set peer 40.2.2.2
set transform-set MYSET
match address 112
!
!
!
!
interface Loopback0
ip address 10.11.11.1 255.255.255.0
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
no keepalive
!
interface Serial0
ip address 40.1.1.1 255.255.255.0
ip access-group 199 in
no fair-queue
clockrate 64000
crypto map MYMAP
!
interface Serial1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.255.255.255 area 0
!
ip classless
ip route 10.2.2.0 255.255.255.0 40.1.1.3
ip route 40.2.2.0 255.255.255.0 40.1.1.3
no ip http server
!
access-list 102 permit gre host 40.1.1.1 host 40.2.2.2
access-list 102 permit gre host 40.2.2.2 host 40.1.1.1
access-list 112 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 198 permit ahp any any
access-list 199 permit gre host 40.2.2.2 host 40.1.1.1
access-list 199 permit udp host 40.2.2.2 eq isakmp host 40.1.1.1 eq
isakmp
access-list 199 permit esp host 40.2.2.2 host 40.1.1.1
access-list 199 permit ahp host 40.2.2.2 host 40.1.1.1
access-list 199 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 199 deny ip any any log
!
line con 0
transport input none
line aux 0
line vty 0 4
privilege level 15
no login
!
end
R1#sh crypto engine conn active
ID Interface IP-Address State Algorithm Encrypt
Decrypt
12 <none> <none> set HMAC_SHA+DES_56_CB 0
0
2000 Serial0 40.1.1.1 set HMAC_SHA 0
27
2001 Serial0 40.1.1.1 set HMAC_SHA 27
0
2002 Serial0 40.1.1.1 set HMAC_SHA+DES_56_CB 0
27
2003 Serial0 40.1.1.1 set HMAC_SHA+DES_56_CB 27
0
R1#sh access-list 199
Extended IP access list 199
permit gre host 40.2.2.2 host 40.1.1.1
permit udp host 40.2.2.2 eq isakmp host 40.1.1.1 eq isakmp (10
matches)
permit esp host 40.2.2.2 host 40.1.1.1
permit ahp host 40.2.2.2 host 40.1.1.1 (27 matches)
permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 (54 matches)
deny ip any any log
R1#sh crypto ipsec trans
Transform set MYSET: { ah-md5-hmac }
will negotiate = { Tunnel, },
{ esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
R1#10.2.2.2
Trying 10.2.2.2 ... Open
R2#term len 0
R2#sh run
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
!
!
!
!
!
ip subnet-zero
ip cef
no ip domain-lookup
ip domain-name cisco.com
ip host R1.cisco.com 40.1.1.1
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
crypto isakmp policy 10
authentication rsa-encr
group 2
!
!
crypto ipsec transform-set MYSET ah-sha-hmac esp-des esp-sha-hmac
!
crypto key pubkey-chain rsa
addressed-key 40.1.1.1
address 40.1.1.1
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 0099ED41
BA42CD47
2CB47D67 B7139256 34ABFFAD 32657E56 0D13232C 8D9B5FF0 AD218A2B
2FDBCEF8
87CCAAF6 D5A2CEB1 FD8527C0 6A71AA42 BA65B48C 9BB50D52 31020301 0001
quit
!
crypto map MYMAP 10 ipsec-isakmp
set peer 40.1.1.1
set transform-set MYSET
match address 112
!
!
!
!
interface Loopback0
ip address 10.22.22.2 255.255.255.0
!
interface Ethernet0
ip address 10.2.2.2 255.255.255.0
no keepalive
!
interface Serial0
no ip address
shutdown
!
interface Serial1
ip address 40.2.2.2 255.255.255.0
ip verify unicast reverse-path
clockrate 64000
crypto map MYMAP
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.255.255.255 area 0
!
ip classless
ip route 10.1.1.0 255.255.255.0 40.2.2.3
ip route 40.1.1.0 255.255.255.0 40.2.2.3
no ip http server
!
access-list 102 permit gre host 40.2.2.2 host 40.1.1.1
access-list 112 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
line con 0
transport input none
line aux 0
line vty 0 4
privilege level 15
no login
!
end
R2#
---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:49 GMT-3