09-17-2002 10:50 PM - edited 02-21-2020 12:04 PM
I have two nodes (routers) connected to the internet and would need a secure connection between them. I was told I should use IPSec. If so I need to clarify a few things:
1) Can I use IPSec if one of the routers is assigned a dynamic IP address by the ISP.
2) Does IPSec contribute to delay in response time? If so by how much?
3) Can I run MPLS over IPSec??
4) If I were to secure these routers and the network behind them from hackers/virus/unauthorised access what should I be looking at besides IPSec?
5) Also when do I use Cisco IOS firewall and when do I use a PIX?
Thanks.
09-23-2002 01:42 PM
You should read over this link, I think it will answer most of your questions. http://www.cisco.com/warp/public/707/index.shtml#ipsec
09-27-2002 09:29 AM
I will not be able to answer all of your questions but hopefully some of this will be useful.
1: Yes, you configure a "dynamic crypto map" on the router which "talks" to the dhcp enabled router, not on the dhcp router.
Example: (only the IPSec portion of the config)
Router A - has a static address
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key password-key address 0.0.0.0 0.0.0.0
(0.0.0.0 0.0.0.0 is not always the best but it fits this example)
crypto ipsec transform-set testing-set esp-des esp-md5-hmac
crypto dynamic-map mymap 10
set transform-set testing-set
match address 110
crypto map test-crypto 10 ipsec-isakmp dynamic mymap
interface Serial0/0.1 (outgoing interface)
ip address x.x.x.x x.x.x.x
--------
crypto map test-crypto
access-list 110 permit/deny statements.....
===============
Router B - receives a DHCP address
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key pass-key address
crypto ipsec transform-set testing-setB esp-des esp-md5-hmac
crypto map RouterBMap 10 ipsec-isakmp
set peer
set transform-set testing-setB
match address 116
interface Dialer1 (outgoing interface)
ip address negotiated
--------
crypto map RouterBMap
access-list 116 permit/deny statements....
-------------------------
2. I have not seen any great increase in latency. Just make sure your router has the minimum amount of memory to run IPSec comfortably and watch the processing.
sh mem / show proc cpu
Some routers have a built in VPN Accelerator Card to help with the IPSec encryption processes instead of it all being executed in the IOS.
-----------------------
3. Sorry I don't know (I need to learn more about MPLS before answering that.)
-----------------------
4. The following Cisco site has great information on security policy and management. It may be able to point you at what other events/transactions you could be watching.
------------------------
5. That would depend on if you would like to use a hardware based firewall or a software based firewall, if you needed a DMZ or multiple DMZs, and how comfortable you are in configuring either. The best way to judge may be to evaluate your needs and allowances.
Kim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide