05-22-2003 02:19 AM - edited 03-02-2019 07:33 AM
The network is
N1<--------->R1<---------ISP----------> R2 <------------>N2
Thx
Godwin
05-22-2003 04:40 AM
hi
chek this link...may help u ..
regds
prem
05-22-2003 04:47 AM
Hi Godwin,
Check out the following link.
Naveen.
05-22-2003 08:37 PM
Thank you for response. I have followed the procedure to setup the router. How can I prove them is working? When I do the
sh crypto engine connection active
It shows nothing. Do I need estimablish the tunnel to connect two site. Please advice. Thanks
Godwin
05-22-2003 09:15 PM
Hi Godwin,
Once the configurations on the routers are done, you need to send some interesting traffic that could match the crypto access-list and trigger an ISAKMP negotiation. Once the IPSec SAs are up (after Phase-2 negotiation), the interesting traffic will get forced to go through IPSec tunnel.
To check if SAs have come up or not, the best command is "show crypto isakmp sa" or "show crypto ipsec sa". There are a couple of other commands that might help you. Use them for better understanding.
show pas isa int
show pas isa ?
show cry engine config
debug crypto isakmp
debug crypto ipsec
Regards,
Naveen
05-22-2003 10:02 PM
Thanks Naveen. I would like to ask the stupid question. Is the workflow of IPSec tunnel trigger are
1. Trigger interesting traffic
2. The package will trigger the dialer to caller remote site
3. Matching the key
4. Estiblish the IPSec tunnel.
The question is I am now sure do we need to enter dialer configure or not. Please advice.
Regards
Godwin
05-22-2003 10:08 PM
Sorry, one more things. Do I set the static route going to remote site? I try to do the ping to the remote site but the show crypto isakmp sa is doing nothing? Please advice. Thanks
Regards
Godwin
05-22-2003 10:44 PM
Hi Godwin,
The IPSec doesn't bother whether you have a static route or you are using a routing protocol as long as you are able to reach it. That is to say, even before you establish the IPSec tunnel, the WAN interfaces should be up and running. Only then ISAKMP can start Phase-1 negotiation. If you want the SAs to come up when you ping, then the crypto access-list should look like
access-list 101 permit ip host
Then a simple ping will trigger ISAKMP negotiations. Otherwise, whatever networks you mention in the crypto access-list to be permitted, packets from that network will trigger the ISAKMP negotiations. Its that easy :-))
For the other question you had asked... Dialer configs are used when you want some interesting traffic to be send to the ISDN network whereas crypto configs are used to select interesting traffic (based on the crypto access-list) for encryption and send it out of the crypto interface. If the crypto interface is your dialer interface, then the packets are first protected with IPSec and then are sent out through the Dialer/crypto interface (since both are same). Note that this may not be the case always. All traffic going through the dialer interface need not be IPSec protected !! Think over ... :-))
If you need more info, you can write to me directly to my cisco id.
Naveen.
05-23-2003 12:15 AM
Naveen
Thank you for your supporting. I think I have configured the IPSec. The question is when I issue a ping from N1 to N2 like ping 10.2.0.1 but they are no response. I have configured the VPN on R2. How can I trigger the VPN client connection from R1 to R2. Please advice. By the way, what is the cisco id, mnaveen@cisco.com?? Many thanks
Regards
Godwin
05-23-2003 01:38 AM
Can u give me plain ipsec configuration on both sides ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: