point to point ( data Encryption)

Unanswered Question
Oct 10th, 2008

Dear All Expert,

I would like you to advice me, So i would like to configure point to point but use command encryption data i don't know i which command that we can use.

Nopte: not use command VPN. and so my diagram use lease line connection, not use VPN connection ....

please advice me!!!

Best Regards,

Rechard_hk

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thiru.vel10 Fri, 10/10/2008 - 10:07

Hi,

I would like to know your are using point to point leased line then why your are trying to user date encryption? . One option is there for data encryption.

User PPP ENCAPSULATION with chap or pap Authentication

rechard_hk Sat, 10/11/2008 - 02:10

Dear royalblues,

Thanks you for your advice....

I saw your link but i would like to ask you that your link you gave me is configuration VPN right?I saw it configuration VPN..

Could you advice..

Best Regards,

Rechard_hk

royalblues Sat, 10/11/2008 - 02:30

It is not a VPN but a configuration example of IPsec between 2 devices (say routers)

When you configure this, the data would be encrypted using strong encryptions like 3Des / AES

For eg.. say you have a topology like this

10.10.10.0/24 --R1(1.1.1.1) --point-to-point -- (1.1.1.2)R2 20.20.20.0/24 and you want to encrypt all communication between them

on router R1

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key Password address 1.1.1.2

crypto ipsec transform-set toR2 esp-3des esp-md5-hmac

!

crypto map SER0 1 ipsec-isakmp

set peer 1.1.1.2

set transform-set toR2

match address 100

access-list 100 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

interface serial 0/1

ip address 1.1.1.1 255.255.255.252

crypto map SER0

at R2

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key Password address 1.1.1.1

crypto ipsec transform-set toR1 esp-3des esp-md5-hmac

!

crypto map SER0 1 ipsec-isakmp

set peer 1.1.1.1

set transform-set toR1

match address 100

access-list 100 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

interface serial 0/1

ip address 1.1.1.2 255.255.255.252

crypto map SER0

This configuration encrypts all data for the communication between 10.10.10.0/24 and 20.20.20.0/24... You can add further subnets by modifying your access-list

HTH

Narayan

rechard_hk Sun, 10/12/2008 - 18:07

Dear Narayan,

Thank you for your configuration,

So i would like to ask you one more that Could you give me configuration VPN ? so i would like to compare configuration VPN and IPSEC( not VPN)

Which are different?

Best Regards,

Rechard_hk

rechard_hk Sat, 10/11/2008 - 02:04

Hi thiru,

I want to make sure my data have encryption and more security..so this reason that i want to use encryption!!

Not like VPN connection .

Best Regards,

Rechard_hk

thiru.vel10 Sat, 10/11/2008 - 09:09

Hi,

You can use the isakmp crypto encryption , this is not a vpn this one type of security encryption. Could you please let us know which model router your are using because for this type con encryption you need to upgrade the IOS .

What Narayan said that correct .

rechard_hk Tue, 10/14/2008 - 01:34

Dear Thiru,

Thanks for your advice!! :)

so i still not clear about command encryption without VPN and encryption with VPN..i was compare command VPN and command Without VPN is it the same.

Could you advice me !!!!!!

Best Regards,

Rechard_hk

thiru.vel10 Wed, 10/15/2008 - 09:17

Hi,

You can create a IPsec tnnel between two peers with encryption. So that data will be secure. For example

!--- Configuration for IKE policies.

crypto isakmp policy 1

!--- Enables the IKE policy configuration (config-isakmp) command mode,

!--- where you can specify the parameters to be used during

!--- an IKE negotiation.

encryption aes 256

!--- Specifies the encryption algorithm as AES with a 256

!--- bit key within an IKE policy.

authentication pre-share

group 2

crypto isakmp key cisco123 address 20.20.20.1

!--- Specifies the preshared key "cisco123" which

!--- should be identical at both peers.

!

!--- Configuration for IPsec policies.

crypto ipsec security-association lifetime seconds 28800

!--- Specifies the lifetime of the IPsec security association (SA).

!

crypto ipsec transform-set vpn esp-aes 256 esp-md5-hmac

!--- Enables the crypto transform configuration mode, where you can

!--- specify the transform sets to be used during an IPsec negotiation.

!

crypto map vpn 10 ipsec-isakmp

!--- Indicates that IKE is used to establish the IPsec SA for protecting

!--- the traffic specified by this crypto map entry.

set peer 20.20.20.1

!--- Sets the IP address of the remote end (VPN Concentrator).

set transform-set vpn

!--- Configures IPsec to use the transform-set "vpn" defined earlier.

!

!--- Specifies the traffic to be encrypted.

match address 110

!

interface Ethernet1/0

ip address 30.30.30.1 255.255.255.0

ip nat outside

half-duplex

crypto map vpn

!--- Configures the interface to use the crypto map "vpn" for IPsec.

!

interface FastEthernet2/0

ip address 192.168.20.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat pool mypool 30.30.30.3 30.30.30.3 netmask 255.255.255.0

ip nat inside source route-map nonat pool mypool overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 30.30.30.2

!

access-list 110 permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.0.255.255

!--- This crypto ACL-permit identifies the matching traffic

!--- flows to be protected via encryption.

!--- Specifies the traffic not to be encrypted.

access-list 120 deny ip 192.168.20.0 0.0.0.255 172.16.0.0 0.0.255.255

!--- This crypto ACL-deny identifies the matching traffic flows not to be encrypted.

!

access-list 120 permit ip 192.168.20.0 0.0.0.255 any

!--- The access control list (ACL) used in the NAT configuration exempts

!--- the LAN-to-LAN traffic from the NAT process,

!--- but allows all traffic going to the Internet to be translated.

!

route-map nonat permit 10

!--- The traffic flows not encrypted from the

!--- peer network are allowed.

match ip address 120

!

line con 0

line aux 0

line vty 0 4

login

!

end

Actions

This Discussion