From: Connary, Julie Ann (jconnary@xxxxxxxxx)
Date: Mon Jan 22 2001 - 12:42:37 GMT-3
Don't forget the key exchange either manual or via ISAKMP
Julie Ann
At 09:45 AM 1/22/2001 -0500, Rob Webber wrote:
>Here is what I have successfully done to run an IPSec connection through a
>tunnel:
>
>For running IPSec through a tunnel, first define the tunnel between the two
>physical interfaces on each router. Once the tunnel is working, define the
>IPSec peers between loopback interfaces. To do this you will need the crypto
>map mymap local-address loopback 0 command (to set the peers local IPSec
>peer address).
>
>You will need some routing so that each router knows of the others loopback
>address static routing, a routing protocol through the tunnel, etc.
>
>Enable the crypto map on both the physical interface and the tunnel
>interface.
>
>Best Regards, Rob.
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Stanford Wong - CNS
>Sent: Monday, January 22, 2001 4:43 AM
>To: Ccielab
>Subject: Question about IPSEC and Tunnels
>
>
>I have a question regarding IPSEC.
>
>Besides using a packet sniffer, how could you tell that your packets are
>indeed being encrypted? I have looked at the Cisco CD under this link -
>
>http://127.0.0.1:8080/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt
>4/scipsec.htm#xtocid2141717
>
>but the commands listed only shows you how to see if your configurations
>have been accepted.
>
>What I have been doing is setting up a tunnel between two routers. When you
>apply a the crypto map to the interface, do you apply it to the Tunnel
>interface or to the Physical interface? My feeling is to apply it to the
>tunnel interface but what IP do you set the peer address? to the distant
>tunnel IP or to the physical interface. Getting late and I think I am
>confusing the hell out of myself.
>
>attached are the two router configs......
>
>==================================================================
>rd#sho running-config
>
>crypto ipsec transform-set ccie esp-des esp-md5-hmac
>!
>crypto map test-ccie 10 ipsec-isakmp
> set peer 100.0.0.1
> set transform-set ccie
> match address 100
>!
>interface Loopback10
> ip address 10.4.4.1 255.255.255.0
>!
>interface Loopback20
> ip address 10.5.5.1 255.255.255.0
>!
>interface Tunnel0
> ip address 10.3.3.2 255.255.255.0
> tunnel source FastEthernet0
> tunnel destination 100.0.0.1
>
>interface FastEthernet0
> ip address 100.0.0.2 255.255.255.0
> speed auto
> crypto map test-ccie
>!
>router ospf 1
> log-adjacency-changes
> area 4 range 10.4.0.0 255.255.0.0
> area 5 range 10.5.5.0 255.255.255.0
> network 10.3.3.2 0.0.0.0 area 0
> network 10.4.4.1 0.0.0.0 area 4
> network 10.5.5.1 0.0.0.0 area 5
>!
>access-list 100 permit ip host 10.4.4.1 host 10.1.1.1
>=======================================================
>rc#sho running-config
>
>crypto ipsec transform-set ccie esp-des esp-md5-hmac
>!
>!
>crypto map test-ccie 10 ipsec-isakmp
> set peer 100.0.0.2
> set transform-set ccie
> match address 100
>cns event-service server
>!
>interface Loopback10
> ip address 10.1.1.1 255.255.255.0
> no ip directed-broadcast
>!
>interface Loopback20
> ip address 10.2.2.1 255.255.255.0
> no ip directed-broadcast
>!
>interface Tunnel1
> ip address 10.3.3.1 255.255.255.0
> no ip directed-broadcast
> tunnel source FastEthernet0
> tunnel destination 100.0.0.2
>!
>interface FastEthernet0
> ip address 100.0.0.1 255.255.255.0
> no ip directed-broadcast
> full-duplex
> crypto map test-ccie
>!
>router ospf 1
> network 10.1.1.1 0.0.0.0 area 1
> network 10.2.2.1 0.0.0.0 area 2
> network 10.3.3.1 0.0.0.0 area 0
>!
>access-list 100 permit ip host 10.1.1.1 host 10.4.4.1
>=====================================================
>
>Any constructive comments/enlightenment will be greatly appreciated....
>
>Stanford
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:39 GMT-3