From: Jack Heney (jheneyccie@xxxxxxxxxxx)
Date: Tue Nov 07 2000 - 02:01:35 GMT-3
Okay...Here goes:
--Host1----R1----Frame_Cloud----R6----Host6--
10.1.1.1 | 10.6.1.1
|
|
R3
|
|
Host3
10.3.1.1
I set up pre-shared keys between (R1 and R3) and (R1 and R6)...I based the
keys on address, but since this (dynamic map) is typically used when you
have hosts that don't have static ip addresses, you would probably set it up
with the keys shared based on hostname. Traffic from Host6 or Host3 to
Host1 will be encrypted. Note that on R1, "crypto map jack 10" is used to
configure a static IPSec peer relationship between R1 and R3. "Crypto map
jack 20" references the dynamic map jack-dyn, which has no match address or
set peer statement, and it will be used to establish a dynamic remationship
between R6 and R1. Both R3 and R6 are configured with R1 as a static IPSec
peer, because the dynamic map won't work unless at least one side initiates
the encryption. Also note that the connection between Host1 and Host6 will
not work until traffic generated by Host6 to Host1. R1 is not configured to
encrypt this traffic, but R6 is expecting encryption. Thus, R6 must
initiate the first conversation.
R1 is configured as follows:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.3.2.254
crypto isakmp key cisco address 10.6.2.254
!
crypto ipsec transform-set jack esp-des esp-md5-hmac
!
crypto dynamic-map jack-dyn 10
set transform-set jack
!
crypto map jack 10 ipsec-isakmp
set peer 10.3.2.254
set transform-set jack
match address 100
crypto map jack 20 ipsec-isakmp dynamic jack-dyn
!
interface Serial0/0
ip address 10.1.2.254 255.255.255.0
encapsulation frame-relay
no ip directed-broadcast
crypto map jack
!
interface TokenRing0/0
ip address 10.1.1.254 255.255.255.0
no ip directed-broadcast
ring-speed 16
!
router rip
version 2
network 10.0.0.0
!
access-list 100 permit ip host 10.1.1.1 host 10.3.1.1
R3 looks like this:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.1.2.254
!
crypto ipsec transform-set jack esp-des esp-md5-hmac
!
crypto map jack 10 ipsec-isakmp
set peer 10.1.2.254
set transform-set jack
match address 100
!
interface Serial0/0
ip address 10.3.2.254 255.255.255.0
encapsulaiton frame-relay
no ip directed-broadcast
crypto map jack
!
interface TokenRing0/0
ip address 10.3.1.254 255.255.255.0
no ip directed-broadcast
ring-speed 16
!
router rip
version 2
network 10.0.0.0
!
access-list 100 permit ip host 10.3.1.1 host 10.1.1.1
R6 looks like this:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.1.2.254
!
crypto ipsec transform-set jack esp-des esp-md5-hmac
!
crypto map jack 10 ipsec-isakmp
set peer 10.1.2.254
set transform-set jack
match address 100
!
interface Serial0/0
ip address 10.6.2.254 255.255.255.0
encapsulation frame-relay
no ip directed-broadcast
crypto map jack
!
interface TokenRing0/0
ip address 10.6.1.254 255.255.255.0
no ip directed-broadcast
ring-speed 16
!
router rip
version 2
network 10.0.0.0
!
access-list 100 permit ip host 10.6.1.1 host 10.1.1.1
I hope you find this helpful (I did....Thanks for posting the question)
Jack
>From: "Tony Olzak" <aolzak@buckeye-express.com>
>Reply-To: "Tony Olzak" <aolzak@buckeye-express.com>
>To: <ccielab@groupstudy.com>
>Subject: IPSec Dynamic
>Date: Mon, 6 Nov 2000 21:38:47 -0500
>
>Does anyone have a sample config for IPSec with dynamic maps?
>
>
>Tony
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:42 GMT-3