03-10-2008 05:12 AM - edited 03-03-2019 09:03 PM
Hello...
I need to encrypt a dedicated serial link between two Cisco routers (1760 & 2811) both capable of doing VPN, tunneling, etc.
I'm not sure where to start because I'd like to configure fast encryption method that doesn't eat the BW and keep the latencies low.
What would you suggest?... tunneling? VPN with fast algorythms?... any ideas (and links to case studies or configuration guides) are welcome.
Regards,
Alberto F.
03-10-2008 05:20 AM
Hi,
What are the reason behind this, security? If it is, tunneling like IP GRE is not recommended since serial link is already private, use IPSec VPN with AES-256/SHA-HMAC encryption. AES is faster than DES (3DES).
Regards,
Dandy
03-10-2008 05:32 AM
There may be specific customer requirements to encrypt even a dedicated link especially with banking customers
As Dandy had pointed out, you can use IPsec to encrypt traffic between the routers
Have a look here
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml
HTH
Narayan
03-10-2008 05:45 AM
"fast encryption method that doesn't eat the BW and keep the latencies low."
You're usaully going to give up some, since it's then nature of the beast. However, one item to watch for, often the encryption imposes a smaller effective MTU. Packet fragmention can often adversely impact performance. For TCP, if supported, the IOS command IP TCP adjust-mss helps avoid the issue.
03-10-2008 06:42 AM
Thanks for the quick responses guys...
As Narayan said, I've been requested to encrypt the private leased line for security reasons... we just want the data to be secured and encrypted, even to the eyes of the telco.
I'll look into some documents and I'll take your recommendations, particularly the IP TCP adjust-mss issue and the AES-256/SHA-HMAC encryption.
These are the docs I'm looking at:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml
Any other suggestions are more than welcome.
Regards,
Alberto
03-13-2008 02:28 PM
Well, I managed to get the VPN up & running pretty fast... I just followed step by step the document (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml) and then I decided to add a litte extra security to the router config by encrypting the VPN pre-shared keys (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml).
Now I have a new problem... I've confirmed that all the traffic I want is going thru the VPN tunnel... nothing is going unencrypted anymore and that's exactly what I needed. However, we have Netflow running in the remote router and the Netflow packets are in fact getting encrypted in the remote side but then the peer routers rejects the packet by saying this over and over:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /10.50.10.10, src_addr= 10.60.10.1, prot= 17
Any light on this one?... I've looked it up in the web but have found pretty much nothing.
Thanks in advance,
Regards,
Alberto
03-13-2008 02:37 PM
Alberto
This is an indication that the access list that you are using does not match the access list used on the other end of the connection. That access list has a statement that permits the Netflow traffic and your access list does not have a statement that permits it.
Look at both access lists. They should be mirror images of each other. I believe that you will find that there is at least one statement on the other end that is not matched on your end. Fix the access lists so that they are mirror images of each other and I believe that the problem will be solved.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide