Announcement

Collapse
No announcement yet.

Configuring IOS-to-IOS IPSec Using Encryption

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configuring IOS-to-IOS IPSec Using Encryption

    Good morning,

    First post from Newbie Cisco/router user, so please be patient.

    We have 2 cicsco2821 routers and we are trying to encrypt traffic between the two devices. We are using 3des sha. IOS version 12.4(11)X

    We have set the encryption up, but are having some trouble with the traffic.

    I can:
    ping from site a to b and b to a
    map a drive (windows)from site a to b and b to a

    I cannot:
    view files over mapped drive
    terminal server in (makes connection but never displays login window)

    Where can I start to verify my encryption is configured properly? I have done a show crypto ipsec sa and get thisis there a problem with the unconfigured vrf at the top? if so, how do I get rid of it?)


    interface: FastEthernet0/1/0
    Crypto map tag: glr-br1-map, local addr 10.10.100.1
    protected vrf: (none)
    local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/17/0)
    remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/17/0)
    current_peer 10.10.100.2 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 42138, #pkts encrypt: 42138, #pkts digest: 42138
    #pkts decaps: 42142, #pkts decrypt: 42142, #pkts verify: 42142
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
    local crypto endpt.: 10.10.100.1, remote crypto endpt.: 10.10.100.2
    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1/0
    current outbound spi: 0xA3BA258D(2746885517)
    inbound esp sas:
    spi: 0x21C9F346(566883142)
    transform: esp-3des esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 1669, flow_id: AIM-VPN/SSL-2:1669, crypto map: glr-br1-map
    sa timing: remaining key lifetime (k/sec): (4574038/2893)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    spi: 0xA3BA258D(2746885517)
    transform: esp-3des esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 1670, flow_id: AIM-VPN/SSL-2:1670, crypto map: glr-br1-map
    sa timing: remaining key lifetime (k/sec): (4574037/2892)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE
    outbound ah sas:
    outbound pcp sas:
    protected vrf: (none)
    local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    current_peer 10.10.100.2 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15007, #pkts encrypt: 15007, #pkts digest: 15007
    #pkts decaps: 18912, #pkts decrypt: 18912, #pkts verify: 18912
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
    local crypto endpt.: 10.10.100.1, remote crypto endpt.: 10.10.100.2
    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1/0
    current outbound spi: 0x6D5A371B(1834628891)
    inbound esp sas:
    spi: 0xAE379763(2922878819)
    Last edited by c.h.u.d.; 25th September 2008, 16:18. Reason: added version

  • #2
    Re: Configuring IOS-to-IOS IPSec Using Encryption

    It would be easier if you sent a show run of the config. Are you actually using vrf's?

    Comment


    • #3
      Re: Configuring IOS-to-IOS IPSec Using Encryption

      Originally posted by philsky View Post
      It would be easier if you sent a show run of the config. Are you actually using vrf's?
      us-glr-gw#sh run
      Building configuration...
      Current configuration : 5997 bytes
      !
      version 12.4
      no service pad
      service tcp-keepalives-in
      service tcp-keepalives-out
      service timestamps debug datetime msec localtime show-timezone
      service timestamps log datetime msec localtime show-timezone
      service password-encryption
      service sequence-numbers
      !
      hostname us-glr-gw
      !
      boot-start-marker
      boot-end-marker
      !
      security authentication failure rate 3 log
      security passwords min-length 6
      logging buffered 51200
      no logging console
      enable secret 5 $1$B9dK$dgSY82zWmLNvMAChKYJyH.
      !
      no aaa new-model
      clock timezone PCTime -5
      clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
      no ip source-route
      !
      !
      ip cef
      !
      !
      no ip bootp server
      ip domain name tensarcorp.com
      ip name-server 192.168.2.62
      !
      multilink bundle-name authenticated
      !
      !
      voice-card 0
      no dspfarm
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      us-glr-gw#sh run
      Building configuration...
      Current configuration : 5997 bytes
      !
      version 12.4
      no service pad
      service tcp-keepalives-in
      service tcp-keepalives-out
      service timestamps debug datetime msec localtime show-timezone
      service timestamps log datetime msec localtime show-timezone
      service password-encryption
      service sequence-numbers
      !
      hostname us-glr-gw
      !
      boot-start-marker
      boot-end-marker
      !
      security authentication failure rate 3 log
      security passwords min-length 6
      logging buffered 51200
      no logging console
      enable secret 5 $1$B9dK$dgSY82zWmLNvMAChKYJyH.
      !
      no aaa new-model
      clock timezone PCTime -5
      clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
      no ip source-route
      !
      !
      ip cef
      !
      !
      no ip bootp server
      ip domain name tensarcorp.com
      ip name-server 192.168.2.62
      !
      multilink bundle-name authenticated
      !
      !
      voice-card 0
      no dspfarm
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      crypto pki trustpoint TP-self-signed-963744423
      enrollment selfsigned
      revocation-check none
      rsakeypair TP-self-signed-963744423
      !
      !
      crypto pki certificate chain TP-self-signed-963744423
      certificate self-signed 01
      3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 39363337 34343432 33301E17 0D303830 38303631 35333132
      365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
      532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3936 33373434
      34323330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
      BD8F4711 BE8F1B5C C71C3A4D B2726240 1EF150FE DFBCA4B2 8E67D5E0 CB3CBBD8
      B4E5D4F2 D5447EBC 91BBC6B5 19CC477D 35B591D6 807C7866 64555B7C 48BA11DE
      DA289416 C8D9BB83 ED4E5A52 E9AF4786 27999D6C 88B7EEF2 E962A254 C20D2444
      06EAF5CB 93C9A0F5 5C9EF1AC ABA144D9 8A998024 B7EDB3D0 7E770D6F F6628D85
      02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023 0603551D
      11041C30 1A821875 732D676C 722D6777 2E74656E 73617263 6F72702E 636F6D30
      1F060355 1D230418 30168014 1C705609 8280D293 139BC1A7 536DF572 E0A51551
      301D0603 551D0E04 1604141C 70560982 80D29313 9BC1A753 6DF572E0 A5155130
      0D06092A 864886F7 0D010104 05000381 81006DC6 281210E7 CCA13F69 BBA7870C
      33AA4A05 46B9556E 72D68BD1 A8091D9D 473D53C6 ED467899 4DDEF434 AEB23F9B
      42BFFE91 5A4B95FB 3414E45B 2F705894 EBC7B7C3 1AD5C909 19137BBF C0BAC7BA
      1D7C7184 4286F8A4 C94BE1C0 B60100A2 5525A67B 9BCADDC8 8BA512C5 B81D22D5
      068F01D9 2770F4FC 38A51390 49420B3E 38BA
      quit
      !
      !
      username tensar privilege 15 secret 5 $1$qA.H$thCwhr3n4UjWXZ/kImpB31
      !
      vlan internal allocation policy ascending
      !
      ip tcp synwait-time 10
      ip ssh time-out 60
      ip ssh authentication-retries 2
      !
      !
      crypto isakmp policy 1
      encr 3des
      authentication pre-share
      group 2
      crypto isakmp key sharedsecret address 10.10.100.2
      !
      !
      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
      crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
      crypto ipsec transform-set 3des-sha-hmac esp-3des esp-sha-hmac
      !
      crypto map glr-br1-map 2 ipsec-isakmp
      set peer 10.10.100.2
      set transform-set 3des-sha-hmac
      set pfs group2
      match address 101
      !
      !
      !
      !
      !
      interface GigabitEthernet0/0
      description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
      ip address 192.168.2.13 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip route-cache flow
      duplex auto
      speed auto
      no mop enabled
      !
      interface GigabitEthernet0/1
      description $FW_OUTSIDE$$ES_WAN$
      ip address 192.168.24.13 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip route-cache flow
      duplex auto
      speed auto
      no mop enabled
      !
      interface FastEthernet0/0/0
      no ip address
      shutdown
      duplex auto
      speed 10
      !
      interface FastEthernet0/1/0
      description $ETH-LAN$
      ip address 10.10.100.1 255.255.255.0
      duplex auto
      speed auto
      crypto map glr-br1-map
      !
      interface Serial0/3/0
      ip address 192.168.9.1 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip route-cache flow
      !
      interface Serial0/3/1
      ip address 192.168.4.1 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip route-cache flow
      !
      router rip
      version 2
      network 10.0.0.0
      network 192.168.2.0
      network 192.168.4.0
      network 192.168.9.0
      network 192.168.20.0
      network 192.168.24.0
      no auto-summary
      !
      ip route 0.0.0.0 0.0.0.0 192.168.2.19
      !
      !
      ip http server
      ip http authentication local
      ip http secure-server
      ip http timeout-policy idle 60 life 86400 requests 10000
      !
      logging trap debugging
      access-list 101 remark SDM_ACL Category=4
      access-list 101 remark IPSec Rule
      access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
      access-list 101 permit udp any any
      access-list 102 permit udp host 10.10.100.2 any eq isakmp
      access-list 102 permit esp host 10.10.100.2 any
      no cdp run
      !
      !
      !
      !
      !
      !
      control-plane
      !
      !
      !
      !
      !
      !
      !
      !
      !
      banner exec ^C
      % Password expiration warning.
      -----------------------------------------------------------------------
      Cisco Router and Security Device Manager (SDM) is installed on this device and
      it provides the default username "cisco" for one-time use. If you have already
      used the username "cisco" to login to the router and your IOS image supports the
      "one-time" user option, then this username has already expired. You will not be
      able to login to the router with this username after you exit this session.
      It is strongly suggested that you create a new username with a privilege level
      of 15 using the following command.
      username <myuser> privilege 15 secret 0 <mypassword>
      Replace <myuser> and <mypassword> with the username and password you want to
      use.
      -----------------------------------------------------------------------
      ^C
      banner login ^CAuthorized access only!
      Disconnect IMMEDIATELY if you are not an authorized user!^C
      !
      line con 0
      login local
      transport output telnet
      line aux 0
      login local
      transport output telnet
      line vty 0 4
      privilege level 15
      login local
      transport input telnet ssh
      line vty 5 15
      privilege level 15
      login local
      transport input telnet ssh
      !
      scheduler allocate 20000 1000
      !
      webvpn cef
      !
      !
      end
      us-glr-gw#

      Comment


      • #4
        Re: Configuring IOS-to-IOS IPSec Using Encryption

        Resolved it another way. Set up a GRE tunnel instead.
        Last edited by c.h.u.d.; 8th October 2008, 20:02.

        Comment

        Working...
        X