Hi Guys..
Can you please help for some IPSEC Stuf.....
Q1. Which ALgo in IPSEC supports 128Bit/Tripple DES??
Q2. Is there any way to confirm if Our VPN/IPSEC setup is working properly..
I used commands show crypto ipsec sa+show crypto isakmp sa ,But cant
see any thing coming.Below is my config and Show command results.
My concern is to protect Telnet traffic b/w thess two guys.
ISDN1#sh run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ISDN1
!
enable secret 5 $1$LYk/$PJGs8FlVtZXjf/dcBrwcO/
!
!
!
!
!
memory-size iomem 7
ip subnet-zero
no ip domain-lookup
!
isdn voice-call-failure 0
cns event-service server
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 135.25.3.1 255.255.255.255
crypto isakmp key cisco address 135.25.11.1 255.255.255.252
!
!
crypto ipsec transform-set Cisco ah-md5-hmac esp-des
crypto ipsec transform-set Cisco2 esp-des esp-md5-hmac
!
!
crypto map CCIE 10 ipsec-isakmp
set peer 135.25.11.1
set peer 135.25.3.1
set transform-set Cisco2
match address 110
!
!
!
!
interface Loopback0
ip address 135.25.4.1 255.255.255.255
no ip directed-broadcast
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
ip address 135.25.11.2 255.255.255.252
no ip directed-broadcast
ip nat outside
no ip mroute-cache
no fair-queue
crypto map CCIE
!
interface BRI0/0
no ip address
no ip directed-broadcast
shutdown
isdn guard-timer 0 on-expiry accept
!
interface FastEthernet0/1
ip address 135.25.11.9 255.255.255.252
no ip directed-broadcast
duplex auto
speed auto
!
router ospf 64
network 135.25.4.1 0.0.0.0 area 0
network 135.25.11.2 0.0.0.0 area 0
network 135.25.11.9 0.0.0.0 area 0
!
ip nat pool CCIE 135.25.11.2 135.25.11.2 prefix-length 30
ip nat inside source list 1 pool CCIE overload
ip classless
no ip http server
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 110 permit tcp host 135.25.4.1 host 135.25.3.1 eq telnet
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
!
voice-port 1/1/1
!
!
!
line con 0
exec-timeout 0 0
password cisco
transport input none
line aux 0
line vty 0 4
password cisco
login
ISDN2#sh run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ISDN2
!
enable secret 5 $1$so9r$GFjeRLyea2vUgn2HbMvOG1
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
isdn voice-call-failure 0
cns event-service server
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 135.25.11.2
crypto isakmp key cisco address 135.25.4.1
!
!
crypto ipsec transform-set Cisco ah-md5-hmac esp-des
crypto ipsec transform-set Cisco2 esp-des esp-md5-hmac
!
!
crypto map CCIE 10 ipsec-isakmp
set peer 135.25.11.2
set peer 135.25.4.1
set transform-set Cisco2
match address 110
partition flash 2 16 8
!
!
!
!
!
!
!
interface Loopback0
ip address 135.25.3.1 255.255.255.255
no ip directed-broadcast
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no ip directed-broadcast
no keepalive
!
interface Serial0/0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no fair-queue
!
interface BRI0/0
no ip address
no ip directed-broadcast
shutdown
isdn guard-timer 0 on-expiry accept
!
interface Ethernet0/1
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1/0
ip address 135.25.9.1 255.255.255.252
no ip directed-broadcast
fair-queue 64 32 1
clockrate 72000
ip rsvp bandwidth 16 13
!
interface Serial1/1
ip address 135.25.11.1 255.255.255.252
no ip directed-broadcast
clockrate 72000
crypto map CCIE
!
interface Serial1/2
ip address 135.25.9.5 255.255.255.252
no ip directed-broadcast
clockrate 72000
!
interface Serial1/3
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1/4
ip address 135.25.11.5 255.255.255.252
no ip directed-broadcast
!
interface Serial1/5
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1/6
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1/7
no ip address
no ip directed-broadcast
shutdown
!
router ospf 64
network 135.25.3.1 0.0.0.0 area 0
network 135.25.9.1 0.0.0.0 area 0
network 135.25.9.5 0.0.0.0 area 0
network 135.25.11.1 0.0.0.0 area 0
network 135.25.11.5 0.0.0.0 area 0
!
ip classless
no ip http server
!
access-list 110 permit tcp host 135.25.3.1 host 135.25.4.1 eq telnet
!
!
line con 0
exec-timeout 0 0
password cisco
transport input none
line aux 0
line vty 0 4
password cisco
login
!
end
ISDN2# sh crypto ipsec sa
ISDN2# sh crypto ipsec sa
interface: Serial1/1
Crypto map tag: CCIE, local addr. 135.25.11.1
local ident (addr/mask/prot/port): (135.25.3.1/255.255.255.255/6/0)
remote ident (addr/mask/prot/port): (135.25.4.1/255.255.255.255/6/23)
current_peer: 135.25.11.2
PERMIT, flags={origin_is_acl,reassembly_needed,ident_port_range,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 135.25.11.1, remote crypto endpt.: 135.25.11.2
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 135.25.11.1, remote crypto endpt.: 135.25.4.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
ISDN2#sh crypto isakmp sa
dst src state conn-id slot
ISDN2#
!
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17646&t=17646
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
