IPSec Manual and SPI question [7:57448]
Hi all, We are impelementing IPSec manual site to site because other site doesn't support IKE. I know that if you implement IPSec manual keying -- ACL's for crypto map entries tagged as ipsec-manual are restricted to as single permit entry and subsequent entries are ignored. -- The SAs established by a manual crypto map entry are only for a single data flow. IKE doesn't have any restrictions like that. Is this because of IKE automatically assigns SPI numbers to the other permit entries for the same access-list. Or is there any other reason? I know the solution for the IPSec manual restriction of permit entries. I want to know why is this restriction. Because of one SPI for one permit entry? Any help will be really appreciated. Best regards, Cisco Breaker Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57448&t=57448 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IPSec Manual and SPI question [7:57448]
I think your confusing SPI with a "CBAC" technology. AN spi is a uni-directional IPSEC peer transform set hash (agreement on what your using with your IPSEC PEER). An SPI is made in each direction to each peer. The Access-list permits flag traffic (matched by the router) as "permitted for IPSEC". The access-list being referenced in the "Crypto map" will make sure the permits get applied ipsec and sent to the peer. I think reading this simple page will clear any misconceptions or questions you may have about IPSEC/MANUAL (NO IKE). http://www.cisco.com/warp/public/707/manual.shtml And by the way, IKE is really a CONVENIENCE protocol, which was made popular by adding autonegotiation for IPSEC PHASE 1 and added some great security features like key management and secure key exchange (SKEME/OAKLEY). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57681&t=57448 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IPSec Manual and SPI question [7:57448]
I have red that page many times and search for manual keying also. . But that didn't answer my question. Anyway I got an answer from cisco group saying that Basically yes. Each line in your ACL actually builds a separate tunnel, with unique SPI's. If you use manual keys, you can only provide one set of SPI's, and therefore, the router/firewall can only build one tunnel, hence only one line in your ACL. With IKE, it dynamically creates unique SPI's per tunnel/ACL line, and therefore you're not limited. Best regards, Cisco Breaker ""Brunner Joseph"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I think your confusing SPI with a "CBAC" technology. AN spi is a > uni-directional IPSEC peer transform set hash (agreement on what your using > with your IPSEC PEER). > > An SPI is made in each direction to each peer. The Access-list permits > flag traffic (matched by the router) as "permitted for IPSEC". > The access-list being referenced in the "Crypto map" will make sure > the permits get applied ipsec and sent to the peer. > > > I think reading this simple page will clear any misconceptions or questions > you may have about IPSEC/MANUAL (NO IKE). > > http://www.cisco.com/warp/public/707/manual.shtml > > And by the way, IKE is really a CONVENIENCE protocol, which was made > popular by adding autonegotiation for IPSEC PHASE 1 and added some > great security features like key management and secure key exchange > (SKEME/OAKLEY). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57688&t=57448 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
