11-21-2007 06:13 AM - edited 03-03-2019 07:38 PM
Hi Experts,
I am going to configure a point to point ipsec tunnelling.Am new in this technology..Anybody can point me to the right location for this info?
And the troubleshooting steps if face with problems?
Thanks!
Solved! Go to Solution.
11-21-2007 06:28 AM
Hi Cindy
Attached is a link to a whole load of configuration examples for IPSEC tunnels from routers/firewalls/VPN concentrators. You should be able to find a document there to start you off and feel free to come back with any more questions.
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
HTH
Jon
11-21-2007 07:39 PM
Cyndy, Im not Jon but thanks for the complement ! There are two phases, in order, Phase I must be stablish to Phase II.
I quote !!
IPSec Phase 1 Internet Key Exchange Security Association policy to be used to negotiate the tunnel, which consists of the following:
-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.
-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.
Diffie Hellman Group, which must be the same for both devices-group 1, group 2, group 5, or group 7. The default is group 2.
4. IPSec Phase 2 Encryption and Authentication policy to be applied to the VPN tunnel. The parameters and options consist of the following:
-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.
-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.
Here are some terminology to start getting familiar with , check Intro to IPsec encryption
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
Rate any helpful post
Rgds
Jorge
11-21-2007 06:20 AM
Hi,
Please check the link below:
hth
Thank you
MS
11-21-2007 05:14 PM
Sheik,
I can;t view this link as need to have CCO account.
As for Jon and Samuel.. I have rated you guys post..
I will get back to you all if I face with any issues on this.. :-)
Thanks!
11-21-2007 06:28 AM
Hi Cindy
Attached is a link to a whole load of configuration examples for IPSEC tunnels from routers/firewalls/VPN concentrators. You should be able to find a document there to start you off and feel free to come back with any more questions.
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
HTH
Jon
11-21-2007 07:37 AM
Hi,
Cisco SRNDs are also a good place to learn about the Technology in depth. You may follow the following SRND to understand to understand the tech and to see a few good examaples and situations
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008073a0c5.pdf
Kind Regards,
Wilson Samuel
Please rate all helpful posts.
11-21-2007 06:19 PM
Guys,
I managed to get 2 routers to play with for this ipsec configuration.
Currently I am thinking of using these 2 routers for testing but configuring on the routers itself using cross cable.
Can I know if this method will works ? From Fast E of Router 1 to Router 2 and how can i Verify that it is really encrpyted as I need to convince the customer that they are really on encrpytion process...
Thanks so much again!
11-21-2007 06:57 PM
Cyndy name seems familiar from previous posts but not sure, anyways greetings!
Sure you can do router to router L2L vpn simulation but I guess you would need at least one station/laptop at each end to initiate " interesting traffic ", interesting traffic is key to bring up the tunnel and that happens say when host-1 behind routerA sends a ping or any other tcp request to Host-1 behind RouterB. I speak from fw l2l vpns but I would expect to be same principle when using IOS.
There are two commands you can use to see whether tunnel is up or not.
show crypto ipsec sa - shows the phase 2 security associations.
show crypto isakmp sa - shows the phase 1 security associations
There are few commands to debugging which is excellent tool for troubleshooting crypto to see what is going on if tunnel does not come up or to see traffic encrypted when tunnel is up.
I quote from one of Jon's posted links
debug crypto ipsec -Shows the IPSec negotiations of phase 2.
debug crypto isakmp -Shows the ISAKMP negotiations of phase 1.
debug crypto engine -Shows the traffic that is encrypted.
Rgds
Jorge
11-21-2007 07:06 PM
Thanks Jon!
Yeah..have been posting and you guys are great on helping out..:) Have been missing a while in this forum as I went for my vacation.. ;)
Anyway, Thanks for the reply. Would like to understand what is the diff between phase 1 and phase 2 of sec associations.. or are the 2 phases must always come together in the ipsec config??
Thanks again..
11-21-2007 07:39 PM
Cyndy, Im not Jon but thanks for the complement ! There are two phases, in order, Phase I must be stablish to Phase II.
I quote !!
IPSec Phase 1 Internet Key Exchange Security Association policy to be used to negotiate the tunnel, which consists of the following:
-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.
-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.
Diffie Hellman Group, which must be the same for both devices-group 1, group 2, group 5, or group 7. The default is group 2.
4. IPSec Phase 2 Encryption and Authentication policy to be applied to the VPN tunnel. The parameters and options consist of the following:
-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.
-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.
Here are some terminology to start getting familiar with , check Intro to IPsec encryption
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
Rate any helpful post
Rgds
Jorge
11-21-2007 08:41 PM
Great answer Jorge! :) and have rated your post..
And also..sorry about the mismatch name, As i overlooked on it..:P -> causing "duplex mismatch" ..haa..
I will let you guys know if this testing is successful by posting back at this forum.
Thanks once again..
11-21-2007 11:31 PM
Cindy
Thanks for the rating much appreciated and welcome back.
Jorge
Appreciate the compliment but the only real difference between our postings is that i have been doing it longer :)
Jon
11-22-2007 12:38 AM
Guys,
I have done the testing..
but would like to verify if the result is good.
I did a....
Router#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet0/1 20.20.20.20 set HMAC_MD5+3DES_56_C 0 0
5131 FastEthernet0/1 20.20.20.20 set HMAC_MD5+3DES_56_C 0 151
5132 FastEthernet0/1 20.20.20.20 set HMAC_MD5+3DES_56_C 151 0
iS this enough to show that the crypto is working ?
11-22-2007 12:57 AM
Hi Cindy
The commands i normally use to check are
1) sh crypto isa sa - this shows you if phase 1 has completed successfully. It should say "QM_IDLE" under status
2) sh crypto ipsec sa - this shows you if the Phase 2 tunnels were set up successfully and will also show the number of encrypted and decrypted packets.
Jon
11-22-2007 01:48 AM
Jon,
Thanks,
Can i say that the result below is verified for ipsec encryption?
--------------------------------------------
Router#sh crypto isa sa
dst src state conn-id slot
20.20.20.21 20.20.20.20 QM_IDLE 1 0
Router#sh crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: hsbc-iras, local addr. 20.20.20.20
protected vrf:
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 20.20.20.21:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 204, #pkts encrypt: 204, #pkts digest 204
#pkts decaps: 191, #pkts decrypt: 191, #pkts verify 191
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 20.20.20.20, remote crypto endpt.: 20.20.20.21
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 711DF592
inbound esp sas:
spi: 0x98B451FB(2561954299)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5133, flow_id: 13, crypto map: hsbc-iras
sa timing: remaining key lifetime (k/sec): (4444514/2197)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x711DF592(1897788818)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5134, flow_id: 14, crypto map: hsbc-iras
sa timing: remaining key lifetime (k/sec): (4444512/2193)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
11-22-2007 01:51 AM
Cindy
Phase 1 looks good and phase 2 looks good as well.
The real test is can you pass traffic down the tunnel. From the phase 2 output it looks like you can.
Without wising to sound patronising that's a really good job you've done because setting up VPN's can be a very time consuming and finicky problem :)
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide