The access-list is the important point - if you traffic doesn't get caught
by the access-list it wont be encrypted.
Your access list encrypts telnet traffic that is sourced from the loopback
address. Now I could be wrong, but if you are on router ISDN1 and telnet to
the loopback address of ISDN2, the source address will be the ISDN1 routers
S0/0 interface IP address, NOT the ISDN1 loopback address.
I would change your access-list. You can easily tell if your traffic is
matching your access list by doing a 'debug ip packet detail 110'. You can
see how many encrypted packets using the 'sh crypto engine connections
active'
The 3DES IPSEC image is not easy to get a hold of if you're not in the US.
> -----Original Message-----
> From: Cisco Lover [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, August 29, 2001 9:51 AM
> To: [EMAIL PROTECTED]
> Subject: IPSEC Q's [7:17646]
>
> Hi Guys..
>
> Can you please help for some IPSEC Stuf.....
>
> Q1. Which ALgo in IPSEC supports 128Bit/Tripple DES??
> Q2. Is there any way to confirm if Our VPN/IPSEC setup is working
> properly..
>
> I used commands show crypto ipsec sa+show crypto isakmp sa ,But cant
> see any thing coming.Below is my config and Show command results.
> My concern is to protect Telnet traffic b/w thess two guys.
>
>
>
>
> ISDN1#sh run
> Building configuration...
>
> Current configuration:
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname ISDN1
> !
> enable secret 5 $1$LYk/$PJGs8FlVtZXjf/dcBrwcO/
> !
> !
> !
> !
> !
> memory-size iomem 7
> ip subnet-zero
> no ip domain-lookup
> !
> isdn voice-call-failure 0
> cns event-service server
> !
> !
> !
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> crypto isakmp key cisco address 135.25.3.1 255.255.255.255
> crypto isakmp key cisco address 135.25.11.1 255.255.255.252
> !
> !
> crypto ipsec transform-set Cisco ah-md5-hmac esp-des
> crypto ipsec transform-set Cisco2 esp-des esp-md5-hmac
> !
> !
> crypto map CCIE 10 ipsec-isakmp
> set peer 135.25.11.1
> set peer 135.25.3.1
> set transform-set Cisco2
> match address 110
> !
> !
> !
> !
> interface Loopback0
> ip address 135.25.4.1 255.255.255.255
> no ip directed-broadcast
> !
> interface FastEthernet0/0
> ip address 10.1.1.1 255.255.255.0
> no ip directed-broadcast
> ip nat inside
> duplex auto
> speed auto
> !
> interface Serial0/0
> ip address 135.25.11.2 255.255.255.252
> no ip directed-broadcast
> ip nat outside
> no ip mroute-cache
> no fair-queue
> crypto map CCIE
> !
> interface BRI0/0
> no ip address
> no ip directed-broadcast
> shutdown
> isdn guard-timer 0 on-expiry accept
> !
> interface FastEthernet0/1
> ip address 135.25.11.9 255.255.255.252
> no ip directed-broadcast
> duplex auto
> speed auto
> !
> router ospf 64
> network 135.25.4.1 0.0.0.0 area 0
> network 135.25.11.2 0.0.0.0 area 0
> network 135.25.11.9 0.0.0.0 area 0
> !
> ip nat pool CCIE 135.25.11.2 135.25.11.2 prefix-length 30
> ip nat inside source list 1 pool CCIE overload
> ip classless
> no ip http server
> !
> access-list 1 permit 10.1.1.0 0.0.0.255
> access-list 110 permit tcp host 135.25.4.1 host 135.25.3.1 eq telnet
> !
> !
> voice-port 1/0/0
> !
> voice-port 1/0/1
> !
> voice-port 1/1/0
> !
> voice-port 1/1/1
> !
> !
> !
> line con 0
> exec-timeout 0 0
> password cisco
> transport input none
> line aux 0
> line vty 0 4
> password cisco
> login
>
>
> ISDN2#sh run
> Building configuration...
>
> Current configuration:
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname ISDN2
> !
> enable secret 5 $1$so9r$GFjeRLyea2vUgn2HbMvOG1
> !
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> isdn voice-call-failure 0
> cns event-service server
> !
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> crypto isakmp key cisco address 135.25.11.2
> crypto isakmp key cisco address 135.25.4.1
> !
> !
> crypto ipsec transform-set Cisco ah-md5-hmac esp-des
> crypto ipsec transform-set Cisco2 esp-des esp-md5-hmac
> !
> !
> crypto map CCIE 10 ipsec-isakmp
> set peer 135.25.11.2
> set peer 135.25.4.1
> set transform-set Cisco2
> match address 110
> partition flash 2 16 8
> !
> !
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 135.25.3.1 255.255.255.255
> no ip directed-broadcast
> !
> interface Ethernet0/0
> ip address 10.1.1.2 255.255.255.0
> no ip directed-broadcast
> no keepalive
> !
> interface Serial0/0
> no ip address
> no ip directed-broadcast
> no ip mroute-cache
> shutdown
> no fair-queue
> !
> interface BRI0/0
> no ip address
> no ip directed-broadcast
> shutdown
> isdn guard-timer 0 on-expiry accept
> !
> interface Ethernet0/1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Serial1/0
> ip address 135.25.9.1 255.255.255.252
> no ip directed-broadcast
> fair-queue 64 32 1
> clockrate 72000
> ip rsvp bandwidth 16 13
> !
> interface Serial1/1
> ip address 135.25.11.1 255.255.255.252
> no ip directed-broadcast
> clockrate 72000
> crypto map CCIE
> !
> interface Serial1/2
> ip address 135.25.9.5 255.255.255.252
> no ip directed-broadcast
> clockrate 72000
> !
> interface Serial1/3
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Serial1/4
> ip address 135.25.11.5 255.255.255.252
> no ip directed-broadcast
> !
> interface Serial1/5
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Serial1/6
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Serial1/7
> no ip address
> no ip directed-broadcast
> shutdown
> !
> router ospf 64
> network 135.25.3.1 0.0.0.0 area 0
> network 135.25.9.1 0.0.0.0 area 0
> network 135.25.9.5 0.0.0.0 area 0
> network 135.25.11.1 0.0.0.0 area 0
> network 135.25.11.5 0.0.0.0 area 0
> !
> ip classless
> no ip http server
> !
> access-list 110 permit tcp host 135.25.3.1 host 135.25.4.1 eq telnet
> !
> !
> line con 0
> exec-timeout 0 0
> password cisco
> transport input none
> line aux 0
> line vty 0 4
> password cisco
> login
> !
> end
> ISDN2# sh crypto ipsec sa
> ISDN2# sh crypto ipsec sa
>
> interface: Serial1/1
> Crypto map tag: CCIE, local addr. 135.25.11.1
>
> local ident (addr/mask/prot/port): (135.25.3.1/255.255.255.255/6/0)
> remote ident (addr/mask/prot/port): (135.25.4.1/255.255.255.255/6/23)
> current_peer: 135.25.11.2
> PERMIT, flags={origin_is_acl,reassembly_needed,ident_port_range,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> #send errors 0, #recv errors 0
>
> local crypto endpt.: 135.25.11.1, remote crypto endpt.: 135.25.11.2
> path mtu 1500, media mtu 1500
> current outbound spi: 0
>
> inbound esp sas:
>
>
> inbound ah sas:
>
>
> inbound pcp sas:
>
>
> outbound esp sas:
>
>
> outbound ah sas:
>
>
> outbound pcp sas:
>
>
> local crypto endpt.: 135.25.11.1, remote crypto endpt.: 135.25.4.1
> path mtu 1500, media mtu 1500
> current outbound spi: 0
>
> inbound esp sas:
>
>
> inbound ah sas:
>
>
> inbound pcp sas:
>
>
> outbound esp sas:
>
>
> outbound ah sas:
>
>
> outbound pcp sas:
>
>
> ISDN2#sh crypto isakmp sa
> dst src state conn-id slot
>
> ISDN2#
> !
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
*****************************************************************
DISCLAIMER: The information contained in this e-mail may be confidential
and is intended solely for the use of the named addressee. Access, copying
or re-use of the e-mail or any information contained therein by any other
person is not authorized. If you are not the intended recipient please
notify us immediately by returning the e-mail to the originator.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17651&t=17646
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
