|
Home > Archive > CCNP > June 2001 > ipsec at fa0
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| supergoku0 2001-06-19, 4:00 am |
| Hi all,
Could any experts tell me if the attached config/scenario is feasible? (the "crypto" commands are applied at both ends of fa0 of 1750, somebody says ipsec can only be applied to serail ports?!) If so, what commands can i use to verifiy the ipsec is functioning?
Would indeed appreciate any advice and insights that can demonstrate ipsec is functioning with the attached configuration.
Many thanks,
Goku | |
| MadChef 2001-06-19, 4:35 am |
| It's perfectly legitimate to apply your crypto maps to ethernet interfaces, and your situation shows why this can be desirable. Sometimes you need to seperate your VPN termination point from your WAN access.
Assuming you're using IKE, do a show crypto isakmp sa to see if your setting up your IKE tunnels appropriately. If the tunnel is established they should be in QM_IDLE state. "show crypto ipsec sa" will show the actual IPSec tunnels. More detail can be seen with "debug crypto isakmp" and "debug crypto ipsec."
In your case, one thing to consider is that NAT on your WAN router will likely break IPsec. If you need to do NAT, it needs to be done at the VPN access point.
MadChef | |
| supergoku0 2001-06-19, 7:32 pm |
| Hi Madchef & guys,
Firstly thanks for your advice Madchef.
Don't know if that makes sense or not - with my scenario can I simply configure ipsec between the fe0's of 1750's at both ends(all packets between them are encrypted / decrypted)? I guess since there is only one fast ethernet port for the 1750(no hosts can be placed at both ends, therefore no packets can pass through the tunnels??), is that posssible I can verfify ipsec status by pinging from one fa0 of 1750 to another fa0 of 1750 followed by some "sh crypto " commands? With this assumption I am trying to do some configuring with this config(with no NAT in the routers). | |
| MadChef 2001-06-20, 4:56 am |
| If you built your crypto lists to include icmp between the two devices then you should have no problem bringing up a tunnel between the two routers. But since you have only one ethernet interface to work with, I doubt you can actually encrypt traffic between hosts. I'm inclined to believe that you'll actually have to pass traffic between interfaces to put it in an ipsec tunnel, but I could be wrong. You could always try to build a tunnel interface between the two routers and apply the crypto map there. I think that would allow you to set up IPSec between hosts.
MadChef | |
| Yeti-GBR1 2001-06-20, 5:28 am |
| IMHO (and I'm no Cisco guru, but drawing on my MS & Novell knoweledge and a modicome of common sense) I'd say that MadChef has the right idea since you only have the one ethernet port at either side.
I understand that you are trying to do it from switch - switch, but does it actually matter for a lab test? I mean to configure IPSPEC on a Switch is similar or the same as on a router, I may be wrong but the concept will hold I'm sure.
Is this for a production environment and you require it to be encrypted and passed down a secure pipe from switch-switch? or just a test lab exercise? | |
| supergoku0 2001-06-20, 8:04 am |
| Thanks for your inputs guys,
The situation being that I may be involved in configuring of the attached config (except the WAN routers 1601, 2501 are removed,there will be NATs, hosts at both ends, etc), the customer needs to run ipsec for hosts at both offices of 1750.
At present the WAN routers (my company's!) are in use and placed close together, with the attached config I guess I may "simulate" the actual config in the simplest form.
If I can get the corect types of V35 connecting the 1750's Ser0, I might put some hosts on both ethernet ports and try....
Cheers,
goku | |
| supergoku0 2001-06-25, 10:39 pm |
| Hi all,
I connect the two serial ports directly with V35 cables(one end male and the other female)
but couldn't bring up the line protocol, is this way of connection valid?
Thanks!
Goku | |
| supergoku0 2001-06-26, 12:51 am |
| Hi all,
I've just managed to bring the line protocol up by adding a command "clock rate 64000".
Cheers,
Goku | |
| MadChef 2001-06-26, 3:50 am |
| quote:
Originally posted by supergoku0
I've just managed to bring the line protocol up by adding a command "clock rate 64000".
Welcome to the world of DCE devices.
MC |
|
|
|
|