I'd like to thank Anne Magnuson for the most informative reply to my re post
so far(copied below). At least I know there's someone out there. Sob sob.
"I will be out of the office Monday, January 15 - Friday, January 19.
Contact the Help Desk at x1111 with any urgent matters."
Signed,
Billy no mates, UK :-)
""Gareth Hinton"" <[EMAIL PROTECTED]> wrote in message
93o8l1$cgg$[EMAIL PROTECTED]">news:93o8l1$cgg$[EMAIL PROTECTED]...
> Re-posted in case anyone is bored over the weekend. Unfortunately I won't
> be. I've not found the definitive answer yet and it's looking like it may
be
> mid next week before I get chance to try it in lab.
> Hopefully it's understandable. If it's not please ignore - oh you did.
>
> Cheers,
>
> Gaz
>
>
>
> Hi all,
>
> Could anybody provide info on the following scenario:
> I was on a customer site which has IPSEC 3DES between two sites. On each
> site, there is also a private network (A class C subnet) which uses IPSEC
> DES56 to encrypt between these subnets.
> This has evolved from CET to IPSEC recently.
>
> Any traffic from these two subnets has always been denied from the access
> list which controls the 3 DES encryption, to avoid this traffic being
double
> encrypted.
>
> After changing the addressing of the routers which are performing the
DES56
> encryption, I was just about to change the 3DES access list to deny the
new
> IP addresses, when the customer mentioned that the private networks were
> talking to each other again. Show crypto eng conn active showed that the
> DES56 encryption was back up.
>
> I was under the impression, probably more from hearsay than research that
> traffic should not be double encrypted, particularly with 3DES.
>
> So my first question is:
>
> Is there any truth in this fact, or was there previously a problem with
> double encrypting CET.
>
> My second question concerns the routing.
>
> At the point I mentioned before, where the customer said his connectivity
> was restored, I had not issued the ospf network command for the new
> addresses , so none of the intermediate routers knew how to get to the
> private subnets (I checked routing tables).
>
> Once the traffic is encrypted does it then only use the peer address as
the
> destination, or is the private address still used (somehow).
>
> If it uses the peer address then that probably answers my first question
as
> well, as the peer addresses were not denied in the 3DES access list
> previously.
>
> I will play with this in the lab with a sniffer when I get back to the
> office, but would like to hear of general rules for encryption from the
> study group if possible.
>
>
> Thanks,
>
> Gareth
>
>
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
