Re-posted in case anyone is bored over the weekend. Unfortunately I won't
be. I've not found the definitive answer yet and it's looking like it may be
mid next week before I get chance to try it in lab.
Hopefully it's understandable. If it's not please ignore - oh you did.
Cheers,
Gaz
Hi all,
Could anybody provide info on the following scenario:
I was on a customer site which has IPSEC 3DES between two sites. On each
site, there is also a private network (A class C subnet) which uses IPSEC
DES56 to encrypt between these subnets.
This has evolved from CET to IPSEC recently.
Any traffic from these two subnets has always been denied from the access
list which controls the 3 DES encryption, to avoid this traffic being double
encrypted.
After changing the addressing of the routers which are performing the DES56
encryption, I was just about to change the 3DES access list to deny the new
IP addresses, when the customer mentioned that the private networks were
talking to each other again. Show crypto eng conn active showed that the
DES56 encryption was back up.
I was under the impression, probably more from hearsay than research that
traffic should not be double encrypted, particularly with 3DES.
So my first question is:
Is there any truth in this fact, or was there previously a problem with
double encrypting CET.
My second question concerns the routing.
At the point I mentioned before, where the customer said his connectivity
was restored, I had not issued the ospf network command for the new
addresses , so none of the intermediate routers knew how to get to the
private subnets (I checked routing tables).
Once the traffic is encrypted does it then only use the peer address as the
destination, or is the private address still used (somehow).
If it uses the peer address then that probably answers my first question as
well, as the peer addresses were not denied in the 3DES access list
previously.
I will play with this in the lab with a sniffer when I get back to the
office, but would like to hear of general rules for encryption from the
study group if possible.
Thanks,
Gareth
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
