Solved: ISAKMP question

faux.trot · ‎05-28-2006

I'm pretty new to VPN stuff, and I'm not exactly an expert in cisco IOS, however, I have a 12.3 release of cisco IOS on a 2800 series router (couldn't give you the exact model atm because I'm not at work)

Anyway, as I understand the documentation, when I issue a crypto command, I should get an option for isakmp (which I do not.) I've been able to generate an RSA key for ssh access. if I don't have ISAKMP support, can someone point me to a configuration guide for VPN that doesn't use ISAKMP?

a.kiprawih · ‎05-31-2006

Hi Todd,

Some info.

Rgds,

AK

View solution in original post

a.kiprawih · ‎05-28-2006

Hi Todd,

I believed your IOS version does not support IPSec/VPN security features. It could be running on IP or IPPlus only.

Issue the 'show version' command from the router CLI, and check the IOS version

Your IOS Router need to use/run on one of the following categories:

ADVANCED ENTERPRISE SERVICES

ADVANCED IP SERVICES

ADVANCED SECURITY

IP/ADSL/FW/IDS PLUS IPSEC 3DES

IP/ADSL/IPX/AT/IBM/FW/IDS PLUS IPSEC 3DES

Run IOS Upgrade Planner or Feature Navigator to look for the right IOS & required features:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Normally, router IOS supporting IPSec VPN allows you to configure/execute crypto isakmp and crypto ipsec command. If your router does not support isakmp command, you do not have any option to configure it.

You need to load IOS with IPSec feature. Otherwise, you have to use GRE.

Example on routers supporting IPSec VPN:

http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

GRE:

*http://www.cisco.com/en/US/partner/tech/tk827/tk369/tk287/tsd_technology_support_sub-protocol_home.html

*http://www.cisco.com/en/US/partner/tech/tk86/tk89/technologies_configuration_example09186a008011520d.shtml

Rgds,

AK

Vikas Saxena · ‎05-28-2006

Hello,

The image name should have a 'k9' notation to have crypto support.

Vikas

a.kiprawih · ‎05-28-2006

The xxxxx.k9.xx.bin = 3DES, xxxxx.k8.xx.bin = DES

AK

faux.trot · ‎05-30-2006

Thanks for all your help folks. I'll try to look up the stuff on GRE somewhere else (as I don't apparently have access with my account to view it.) However I believe it puts me on the right track.

-Todd

a.kiprawih · ‎05-31-2006

Hi Todd,

Some info.

Rgds,

AK

faux.trot · ‎05-31-2006

Excellent! thank you

Fernando_Meza · ‎05-31-2006

Hi ..please be aware that by creating a GRE tunnel over the internet WITHOUT the encryption that protocols such as IPsec provides , then the data will traverse the Internet in clear text.

faux.trot · ‎06-03-2006

Yes, That could present a problem in the future, however when the data becomes important, I'm sure we'll buy a new image or product. For now, because we do own a couple of licenses for Windows server 2k3, I think I will use their solution. I've been playing with the nat configurations for this without success as of yet. I'll post more info possibly in a new thread.

I did want to mention that the help provided so far has been very good, and has pointed me in the right direction.

I took classes to become a CCNA (without success I might add) now that I'm actually applying what I actually know, I feel far more comfortable with Cisco products than I ever have. Thank you all very much

-Todd