GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: IPSEC / ISAKMP sample config posted 08/10/2000
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Yes you can config more than one, but you can only apply one to any crypto
map - the crypto map then referencs an ACL to determine to encrypt or not.
The other tranform set's can be used with differnet end points.  Therefore,
if the transform sets don't match, then the tunnel will fail.  Unless I'm
completly missing something.

Kenny


----- Original Message -----
From: "Alan Simpkins" <alan_simpkins@xxxxxxxxx>
To: "Kenny Sallee" <mischa@xxxxxxxxxxxxxx>; <Padhu@xxxxxxxxxxxx>;
<ccielab@xxxxxxxxxxxxxx>
Sent: Thursday, August 10, 2000 10:41 AM
Subject: Re: IPSEC / ISAKMP sample config


> Yes but agin, you can configure more than one
> transform set.
> --- Kenny Sallee <mischa@xxxxxxxxxxxxxx> wrote:
> > I don't think the peers will negotiate the transform
> > set.  If that were
> > true, IPSec would be easier to hack.  From my
> > experience, if the transform
> > sets don't match, phase 2 does not complete. As I
> > understand it, if the
> > IPSec endpoints can't determine which algorithm's to
> > use (esp, ah, des,
> > 3des) then they won't talk....Also, if you read the
> > output below from CCO:
> >
> > . The transform set defined in the
> > > crypto map entry will be used in the IPSec
> > security
> > > association negotiation to protect the data flows
> > > specified by that crypto map entry's access list.
> >
> > That itself says the crypto map will only use the
> > specified transform
> > set....That's how I read it anyway..
> >
> > Kenny
> >
> >
> > ----- Original Message -----
> > From: "Alan Simpkins" <alan_simpkins@xxxxxxxxx>
> > To: "Kenny Sallee" <mischa@xxxxxxxxxxxxxx>;
> > <Padhu@xxxxxxxxxxxx>;
> > <ccielab@xxxxxxxxxxxxxx>
> > Sent: Thursday, August 10, 2000 7:52 AM
> > Subject: Re: IPSEC / ISAKMP sample config
> >
> >
> > > I may be wrong here but as I recall, the peers
> > need to
> > > be able to negotiate at least 1 transform set, I
> > do
> > > not think all of them have to match, but I believe
> > at
> > > least must. Some peers may support transform set
> > > others do not. see the follpwing blurb from CCO
> > docs:
> > >
> > > A transform set represents a certain combination
> > of
> > > security protocols and algorithms. During the
> > IPSec
> > > security association negotiation, the peers agree
> > to
> > > use a particular transform set for protecting a
> > > particular data flow.
> > >
> > > You can specify multiple transform sets, and then
> > > specify one or more of these transform sets in a
> > > crypto map entry. The transform set defined in the
> > > crypto map entry will be used in the IPSec
> > security
> > > association negotiation to protect the data flows
> > > specified by that crypto map entry's access list.
> > >
> > > During IPSec security association negotiations
> > with
> > > IKE, the peers search for a transform set that is
> > the
> > > same at both peers. When such a transform set is
> > > found, it is selected and will be applied to the
> > > protected traffic as part of both peers' IPSec
> > > security associations
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --- Kenny Sallee <mischa@xxxxxxxxxxxxxx> wrote:
> > > > First off your transform sets don't match:
> > > >
> > > >
> > > > crypto ipsec transform-set r5 ah-md5-hmac
> > esp-des
> > > >
> > > > crypto ipsec transform-set r6 esp-des
> > esp-md5-hmac
> > > >
> > > > These need to match for phase 2 to complete ( I
> > > > think it is anyway maybe
> > > > phase 1).  It looked like from the debug that
> > phase
> > > > 1 completed ( pre-shared
> > > > keys were exchanged and matched ) but phase 2
> > did
> > > > not..
> > > >
> > > > Also, I think your ACL's are wrong.  You need to
> > > > permit the return traffic
> > > > in both directions depending on the direction(s)
> > you
> > > > want to encrypt telnet.
> > > >
> > > > So for R5:
> > > >
> > > > access-list 105 permit tcp any any eq telnet log
> > > > access-list 105 permit tcp any eq 23 any gt 1023
> > > >
> > > > and the same on the other router
> > > >
> > > > Kenny
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: <Padhu@xxxxxxxxxxxx>
> > > > To: <ccielab@xxxxxxxxxxxxxx>
> > > > Sent: Wednesday, August 09, 2000 10:53 AM
> > > > Subject: IPSEC / ISAKMP sample config
> > > >
> > > >
> > > > > I am trying this and it isnt working for me
> > ...My
> > > > first time.. so
> > > > obviously
> > > > > i am overlooking something..Can any one take a
> > > > look at the
> > > > > config and comment on it ? thanks.
> > > > >
> > > > > I have defined telnet to be the only traffic
> > > > interesting for encryption..
> > > > >
> > > > > Cheers,Padhu
> > > > >
> > > > >  <<ipsec.TXT>>  <<ipsecdebug.TXT>>
> > > > >
> > > >
> > > >
> > >
> >
> _______________________________________________________
> > > > To unsubscribe from the CCIELAB list, send a
> > message
> > > > to
> > > > majordomo@xxxxxxxxxxxxxx with the body
> > containing:
> > > > unsubscribe ccielab
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Kick off your party with Yahoo! Invites.
> > > http://invites.yahoo.com/
> > >
> > >
> >
> _______________________________________________________
> > > To unsubscribe from the CCIELAB list, send a
> > message to
> > > majordomo@xxxxxxxxxxxxxx with the body containing:
> > > unsubscribe ccielab
> > >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Kick off your party with Yahoo! Invites.
> http://invites.yahoo.com/
>

_______________________________________________________
To unsubscribe from the CCIELAB list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe ccielab