From: Ahmed Mamoor Amimi (mamoor@xxxxxxxx)
Date: Sun May 12 2002 - 05:36:07 GMT-3
I also use the first method when ever doing the crypto over the tunnel .
local-address should be of the phyisical interface on both side and the maps
should on the tunnel and the phyisical interface.
If u do a debug it will show that the source and destination are of the
tunnel interface then after that debug they will go throught the physical
interface. It is like the IOS pharse and find the physical interface to fwd
the actual packets. So u should give the map to both the phy and the tunnel.
-Mamoor
----- Original Message -----
From: ying chang <ying_c@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Sunday, May 12, 2002 7:58 AM
Subject: ipsec tunnel
> I saw two different ways to encrypt ipsec tunnel, one way is to have the
> local-address point to the physical interface, and put the crypto map in
> both the physical and tunnel interfaces; the second way is to have the
> local-address point to the tunnel interface, and have the crypto map put
in
> the tunnel interface but NOT in the physical interface.
>
> Data will be encrypted with either method, but does anyone know which way
is
> the correct method as far as encrypt tunnel concern? CCO uses the first
> method, but the second one will let you see tunnel is encrypted with "show
> cry eng conn act" command.
>
> Thanks,
> Chang
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:55 GMT-3