GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: IPSEC / ISAKMP sample config posted 08/10/2000
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Yes but agin, you can configure more than one
transform set.
--- Kenny Sallee <mischa@xxxxxxxxxxxxxx> wrote:
> I don't think the peers will negotiate the transform
> set.  If that were
> true, IPSec would be easier to hack.  From my
> experience, if the transform
> sets don't match, phase 2 does not complete. As I
> understand it, if the
> IPSec endpoints can't determine which algorithm's to
> use (esp, ah, des,
> 3des) then they won't talk....Also, if you read the
> output below from CCO:
> 
> . The transform set defined in the
> > crypto map entry will be used in the IPSec
> security
> > association negotiation to protect the data flows
> > specified by that crypto map entry's access list.
> 
> That itself says the crypto map will only use the
> specified transform
> set....That's how I read it anyway..
> 
> Kenny
> 
> 
> ----- Original Message -----
> From: "Alan Simpkins" <alan_simpkins@xxxxxxxxx>
> To: "Kenny Sallee" <mischa@xxxxxxxxxxxxxx>;
> <Padhu@xxxxxxxxxxxx>;
> <ccielab@xxxxxxxxxxxxxx>
> Sent: Thursday, August 10, 2000 7:52 AM
> Subject: Re: IPSEC / ISAKMP sample config
> 
> 
> > I may be wrong here but as I recall, the peers
> need to
> > be able to negotiate at least 1 transform set, I
> do
> > not think all of them have to match, but I believe
> at
> > least must. Some peers may support transform set
> > others do not. see the follpwing blurb from CCO
> docs:
> >
> > A transform set represents a certain combination
> of
> > security protocols and algorithms. During the
> IPSec
> > security association negotiation, the peers agree
> to
> > use a particular transform set for protecting a
> > particular data flow.
> >
> > You can specify multiple transform sets, and then
> > specify one or more of these transform sets in a
> > crypto map entry. The transform set defined in the
> > crypto map entry will be used in the IPSec
> security
> > association negotiation to protect the data flows
> > specified by that crypto map entry's access list.
> >
> > During IPSec security association negotiations
> with
> > IKE, the peers search for a transform set that is
> the
> > same at both peers. When such a transform set is
> > found, it is selected and will be applied to the
> > protected traffic as part of both peers' IPSec
> > security associations
> >
> >
> >
> >
> >
> >
> >
> > --- Kenny Sallee <mischa@xxxxxxxxxxxxxx> wrote:
> > > First off your transform sets don't match:
> > >
> > >
> > > crypto ipsec transform-set r5 ah-md5-hmac
> esp-des
> > >
> > > crypto ipsec transform-set r6 esp-des
> esp-md5-hmac
> > >
> > > These need to match for phase 2 to complete ( I
> > > think it is anyway maybe
> > > phase 1).  It looked like from the debug that
> phase
> > > 1 completed ( pre-shared
> > > keys were exchanged and matched ) but phase 2
> did
> > > not..
> > >
> > > Also, I think your ACL's are wrong.  You need to
> > > permit the return traffic
> > > in both directions depending on the direction(s)
> you
> > > want to encrypt telnet.
> > >
> > > So for R5:
> > >
> > > access-list 105 permit tcp any any eq telnet log
> > > access-list 105 permit tcp any eq 23 any gt 1023
> > >
> > > and the same on the other router
> > >
> > > Kenny
> > >
> > >
> > > ----- Original Message -----
> > > From: <Padhu@xxxxxxxxxxxx>
> > > To: <ccielab@xxxxxxxxxxxxxx>
> > > Sent: Wednesday, August 09, 2000 10:53 AM
> > > Subject: IPSEC / ISAKMP sample config
> > >
> > >
> > > > I am trying this and it isnt working for me
> ...My
> > > first time.. so
> > > obviously
> > > > i am overlooking something..Can any one take a
> > > look at the
> > > > config and comment on it ? thanks.
> > > >
> > > > I have defined telnet to be the only traffic
> > > interesting for encryption..
> > > >
> > > > Cheers,Padhu
> > > >
> > > >  <<ipsec.TXT>>  <<ipsecdebug.TXT>>
> > > >
> > >
> > >
> >
>
_______________________________________________________
> > > To unsubscribe from the CCIELAB list, send a
> message
> > > to
> > > majordomo@xxxxxxxxxxxxxx with the body
> containing:
> > > unsubscribe ccielab
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Kick off your party with Yahoo! Invites.
> > http://invites.yahoo.com/
> >
> >
>
_______________________________________________________
> > To unsubscribe from the CCIELAB list, send a
> message to
> > majordomo@xxxxxxxxxxxxxx with the body containing:
> > unsubscribe ccielab
> >
> 


__________________________________________________
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/

_______________________________________________________
To unsubscribe from the CCIELAB list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe ccielab