Re: IPSEC in real life [7:12771]

Wed, 18 Jul 2001 01:29:45 -0700 

I had two tunnels on 3 routers up and working solidly over serial interfaces
in a hub-and-spoke topology - my initial configuration was IPSec tunnels
point-to-point with a PIX firewall, which were solid.  I changed the
configuration later to go router-to-router (2621's) over GRE tunnels so
routing protocols could be passed, and again the configuration was solid.
The biggest problem I had with the IPSec over GRE was the MTU decreasing to
1470, which caused a problem with an application that set the Dont Fragment
bit in the IP header.

The version of code I used was a General Distribution release of 12.1 and
not a special train of IOS.  I took the configurations almost directly from
the Cisco TAC sample configurations which used the pre-shared keys for IKE
until I learned and understood IPSec.

One of the challenges in the beginning was getting the tunnels to
renegotiate properly after the session timed out.  They would hang after the
SA dropped.  I believe the change that I made in the configuration was to
increase the tunnel life by changing the SA timeout, but I don't remember
exactly what I set it to, probably something like 8 hours.  Rebooting the
routers was never required as a solution to the problem, but clearing crypto
ipsec sa and crypto ipsec isakmp were definitely commands that were in the
history buffer for a while.

-e-

----- Original Message -----
From: Vyacheslav Luschinsky 
To: 
Sent: Wednesday, July 18, 2001 1:12 AM
Subject: IPSEC in real life [7:12771]


> Does anyone have in production  cisco ipsec LAN-to-LAN tunnel?
> It's part of IOS seems to have so many bugs..
> when you do it with IKE (ipsec-isakmp) cisco workaround is to reboot
> router.  Manual keying (ipsec-manual) does not work at all with error
> IPSEC(manual_key_stuffing): Can't get valide engine id 0
> My IOS version is 12.0.7T.
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12773&t=12771
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to