Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
2
Replies

IPSEC Configuration

Go to solution
scooter817
Level 2
Level 2

‎06-03-2009 08:35 AM - edited ‎02-21-2020 04:15 PM

How do you configure IPSEC to encrypt all traffic form one end of your network to the next

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10

‎06-04-2009 02:11 AM

You create an "Interesting Address" access list and call this access list in your crypto config.

HTH>

View solution in original post

0 Helpful
2 Replies 2

Go to solution
andrew.prince
Level 10
Level 10

‎06-04-2009 02:11 AM

You create an "Interesting Address" access list and call this access list in your crypto config.

HTH>

0 Helpful

Go to solution
apcbpcbpcl
Level 1
Level 1
In response to andrew.prince

‎09-30-2013 09:24 AM

we have two Router in DC setup. In router-1, SP1 link is terminated & in Router2, SP2 link is terminated.in both the router, with MPLS cloud, BGP is configured.

In Router1 VLAN2 IP: 172.26.0.253.

In Router2 VLAN2 IP: 172.26.4.253.

DC subnet: 172.24.0.0/24

Branch End LAN Segment: 172.27.1.128/27

Now from branch, we trying to implement IPSEC tunnel for DC Segment. SP1 & SP2 is configured as Active-standby.

In DC both Router config:

crypto isakmp policy 10

hash md5

encr 3des

authentication pre-share

crypto isakmp key <> address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp keepalive 30 5

crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac

crypto dynamic-map APDRPMAP 6

set transform-set APDRPSET

crypto map APDRPMAIN 6 ipsec-isakmp dynamic APDRPMAP

int vlan 2

crypto map APDRPMAIN

IN Branch Router Config:

crypto isakmp policy 10

hash md5

encr 3des

authentication pre-share

crypto isakmp keepalive 30 5

crypto isakmp key <>address 172.26.0.253 no-xauth

crypto isakmp key <> address 172.26.4.253 no-xauth

crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac

mode tunnel

no crypto map APDRPMAP 6 ipsec-isakmp

set peer 172.26.0.253

set transform-set APDRPSET

match address 130

crypto map APDRPMAP 12 ipsec-isakmp

set peer 172.26.4.253

set transform-set APDRPSET

match address 130

access-list 130 permit ip 172.27.1.128 0.0.0.31 172.24.0.0 0.0.255.255

access-list 130 permit ip 172.17.220.32 0.0.0.3 172.24.0.0 0.0.255.255

aaccess-list 130 deny ip 172.27.1.128 0.0.0.31 any

access-list 130 deny ip 172.17.220.32 0.0.0.3 any

int gi 0/0

crypto map APDRPMAP

int gi 0/1 --> Secondary MPLS link.

crypto map APDRPMAP

Problem:

When, in branch end, both the link is up, it is creating tunnel with DC Primary Router IP: 172.26.0.253 & working perfectly fine.

When in branch end, primary link is going down, traffic towards sourcing DC is going via gi0/1. in Crypto, it is trying to peering with Primary DC Router IP only instead of Secondary DC-Router IP & resulting which, tunnel is not able to form.the state is MM_No State.

When, primary link is coming up, it is peering with 172.26.0.253 again & working fine.

we have tried to clear to crypto sessions in both the cases but didnt get expected result.

Pls let us know, where exactly we are doing wrong.

0 Helpful
Customers Also Viewed These Support Documents