Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Questions on IPSec.

I have two nodes (routers) connected to the internet and would need a secure connection between them. I was told I should use IPSec. If so I need to clarify a few things:

1) Can I use IPSec if one of the routers is assigned a dynamic IP address by the ISP.

2) Does IPSec contribute to delay in response time? If so by how much?

3) Can I run MPLS over IPSec??

4) If I were to secure these routers and the network behind them from hackers/virus/unauthorised access what should I be looking at besides IPSec?

5) Also when do I use Cisco IOS firewall and when do I use a PIX?

Thanks.

2 REPLIES
Bronze

Re: Questions on IPSec.

You should read over this link, I think it will answer most of your questions. http://www.cisco.com/warp/public/707/index.shtml#ipsec

New Member

Re: Questions on IPSec.

I will not be able to answer all of your questions but hopefully some of this will be useful.

1: Yes, you configure a "dynamic crypto map" on the router which "talks" to the dhcp enabled router, not on the dhcp router.

Example: (only the IPSec portion of the config)

Router A - has a static address

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key password-key address 0.0.0.0 0.0.0.0

(0.0.0.0 0.0.0.0 is not always the best but it fits this example)

crypto ipsec transform-set testing-set esp-des esp-md5-hmac

crypto dynamic-map mymap 10

set transform-set testing-set

match address 110

crypto map test-crypto 10 ipsec-isakmp dynamic mymap

interface Serial0/0.1 (outgoing interface)

ip address x.x.x.x x.x.x.x

--------

crypto map test-crypto

access-list 110 permit/deny statements.....

===============

Router B - receives a DHCP address

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key pass-key address

crypto ipsec transform-set testing-setB esp-des esp-md5-hmac

crypto map RouterBMap 10 ipsec-isakmp

set peer

set transform-set testing-setB

match address 116

interface Dialer1 (outgoing interface)

ip address negotiated

--------

crypto map RouterBMap

access-list 116 permit/deny statements....

-------------------------

2. I have not seen any great increase in latency. Just make sure your router has the minimum amount of memory to run IPSec comfortably and watch the processing.

sh mem / show proc cpu

Some routers have a built in VPN Accelerator Card to help with the IPSec encryption processes instead of it all being executed in the IOS.

-----------------------

3. Sorry I don't know (I need to learn more about MPLS before answering that.)

-----------------------

4. The following Cisco site has great information on security policy and management. It may be able to point you at what other events/transactions you could be watching.

http://www.cisco.com/go/safe

------------------------

5. That would depend on if you would like to use a hardware based firewall or a software based firewall, if you needed a DMZ or multiple DMZs, and how comfortable you are in configuring either. The best way to judge may be to evaluate your needs and allowances.

Kim

89
Views
0
Helpful
2
Replies
CreatePlease to create content