Re: Data encryption in 2500 router

zakaria.mohd · ‎03-26-2003

This question may sound stupid but sadly I am new to routers and in need of help.

I am tasked to setup DATA ENCRYPTION between 2 sites running leased line. Each site is using cisco 2500 routers ver 11.0 (16). The routers are using ppp encapsulation.

My questions are:

1. Does 2500 router IOS offer data encryption feature? If yes, pls point to me the information on how to configure it.

2. What other cheap/freeware solution that can meet the requirement?

Thanks for the help.

ahvn · ‎03-26-2003

Hi,

As you are using PPP for your leased line I don't think there is any encription going around. You can have VPN tunneling if you need data encryption.You can always encript the passwords for your routers at both ends with command

service password-encryption

And if you have bri interface in your routers you can use PAP for authentication by default which is encrypted.

Regards,

Homin

dinekal · ‎03-26-2003

Hi,

Data Encryption is the IOS feature but you did not specify the exact IOS version. However, assuming you are using proper IOS that support encryption, I recommend the following URL

http://www.cisco.com/warp/public/105/IPSECpart1.html

I don't think you anymore need freeware's to setup site-to-site VPN, once you have routers. Better switch over to 12.x IOS version, that fixed the bugs of earlier versions.

Note: Do consider the number of sessions as it is the primary constriant for setting up IOS based VPNs.

Hope this helps

Dinesh

vatsan · ‎03-26-2003

HI Zakaria

The above answer should suffice your doubts.

Basically to configure and give you more picture on how this works the following URL will perhaps give more clarity.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1824/products_configuration_guide_chapter09186a0080087e8b.html

Thanks

Vatsan.

zakaria.mohd · ‎03-26-2003

Hi All,

My thanks to Ahvn, Dinekel and Vatsan for the valueable feedback.

I am happy to see all of your replys but based on the information that I saw, I feel intimidated by the task to setup data encryption. FYI, I am not even a CCNA.

Anyway, I telnet into the router and concluded that the current IOS does not support IPSec feature. This is because CRYPTO command is not available in the global config. I suppose I have to load a new IOS version.

My questions are:

1. I understand now that features are IOS based and that if your router has the right hardware you can use the feature. So does this mean that I can load another higher version of IOS from my 800 series router to my 2500 router? Will it work?

2. I was told that downloading IOS from Cisco requires a fee. Is this true?

3. Back to data encryption topic, I don't think I would want to implement a CA structure. So am I right to say that the basic encryption implementation is configure:

i)Configure ISAKMP key

ii)Configuring IPSec

------------------------------------------------------

Below is the current 2500 IOS info:

Cisco Internetwork Operating System Software

IOS (tm) 3000 Software (IGS-I-L), Version 11.0(16), RELEASE SOFTWARE (fc1)

Compiled Tue 24-Jun-97 12:20 by jaturner

Image text-base: 0x0301E644, data-base: 0x00001000

ROM: System Bootstrap, Version 11.0(10c), SOFTWARE

ROM: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFTWARE (

fc1)

ch_cargo uptime is 8 weeks, 3 days, 1 hour, 59 minutes

System restarted by power-on

System image file is "flash:igs-i-l.110-16", booted via flash

cisco 2500 (68030) processor (revision N) with 2048K/2048K bytes of memory.

Processor board ID 11153258, with hardware revision 00000000

Bridging software.

X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.

1 Ethernet/IEEE 802.3 interface.

2 Serial network interfaces.

32K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read ONLY)

----------------------------------------------------------------------------------------

Thanks again.

dinekal · ‎03-26-2003

Hi,

1. I understand now that features are IOS based and that if your router has the right hardware you can use the feature. So does this mean that I can load another higher version of IOS from my 800 series router to my 2500 router? Will it work?

I guess you missed to notice the Note in my earlier reply. You can use 800/2500 series cisco routers but the number of VPN sessions are limited in IOS based VPN. But if you use Cisco VPN concentrators you can achieve more VPN sessions.

2. I was told that downloading IOS from Cisco requires a fee. Is this true?

Yes, you need a valid cco login to download

3. Back to data encryption topic, I don't think I would want to implement a CA structure. So am I right to say that the basic encryption implementation is configure:

i)Configure ISAKMP key

ii)Configuring IPSec

You don't require CA unless the firm to cover larger geographical distance and nodes.IPSec with manual-key/RSA generation would satisfy your need.

Your "show version" displays just 8KB memory, this may not be adequate for the 12.x version. Your memory need to be upgraded.

Good Luck

Dinesh

r.sneekes · ‎04-03-2003

What you also should consider is the fact that Encryption is a very cpu intensive task. So the effective thoughput with a 2500 with software encryption isn't that high. ( maybe 0,3 Mbit to 0,4 Mbit per second or less depending on the type of encryption) And the 2500 series has no hardware card expension to enrypt in hardware.

You have to ask yourself if your traffic is going to grow in the future (or is it already 1 Mbit+) and thus you maybe should invest in new hardware instead of spending money on old equipment thats has not enough power to deal with the traffic.